Cortex XDR's custom incident scoring rules allow organizations to tailor incident prioritization to their specific environment and security needs. These rules can modify an incident's score based on various criteria. By creating rules that increase the score for specific alert categories (e.g., malware, ransomware), analysts can adjust the perceived severity. Similarly, rules can be configured to significantly raise the score for any alerts involving predefined business-critical assets (like domain controllers or executive laptops), ensuring these incidents receive immediate attention. This helps security teams focus their efforts on the most significant threats to the organization.

The Cortex XDR causality chain is a fundamental analysis tool that provides a visual, chronological narrative of an incident. It automatically stitches together disparate activities—such as process executions, file modifications, and network connections—into a single, comprehensible graph. This allows an analyst to quickly identify the root cause of an alert, trace the sequence of malicious or suspicious events, and understand the full scope and impact of an attack without manually correlating logs from different sources.

The timeline view in Cortex XDR is a fundamental tool for incident investigation. It organizes all associated alerts and events into a chronological sequence. This presentation allows an analyst to follow the progression of an attack step-by-step, from the initial alert to subsequent activities. By visualizing the events in the order they occurred, analysts can effectively reconstruct the attack flow, understand the attacker's methodology, and identify the full scope of the incident.

The 'Disabled' operational state in Cortex XDR indicates that the agent is installed on the endpoint, but its protection capabilities have been intentionally deactivated. An administrator typically disables an agent for troubleshooting or maintenance, which stops the agent from enforcing its security policy. In this state, the endpoint is vulnerable as the agent is not actively monitoring, preventing, or reporting security events. The agent remains installed and can be re-enabled by an administrator to resume protection.

Cortex Query Language (XQL) provides several aggregation functions to perform calculations and summarize data from query results. The COUNT() function is used to return the number of results in a specified field or for the entire dataset. The SUM() function calculates the total value of a numeric field across the results. Both are fundamental aggregation functions used for data analysis within XQL. Functions like PATCH() or REMEDIATE() are not part of the XQL syntax; they represent response actions available within the Cortex XDR platform, separate from the data querying process.

Cortex XDR integrates with Cortex XSOAR (Security Orchestration, Automation, and Response) to enable automated responses to threats. When Cortex XDR generates an alert or an incident that meets specific criteria, it can trigger a corresponding playbook in XSOAR. A playbook is a predefined, automated workflow that executes a series of response actions, such as isolating an endpoint, quarantining files, or blocking malicious indicators on a firewall. This integration allows security teams to automate repetitive tasks, accelerate response times, and ensure consistent handling of security events without manual intervention.

Prevention Profiles in Cortex XDR are specifically designed to configure the agent's threat prevention capabilities. This includes creating rules and defining actions for malware, exploits, and behavioral threats. Malware blocking rules are a core component of the Malware Protection module within a Prevention Profile.

In contrast, an Agent Settings Profile (formerly known as an Extension Profile) is used to manage the operational settings of the Cortex XDR agent and to enable and assign policies for add-on modules. Host Firewall and Device Control are examples of such modules, which have their own dedicated policy types that are applied to endpoints via an Agent Settings Profile.

The xdrdata dataset is the primary and most comprehensive data source within Cortex XDR. It serves as the central repository for all raw, low-level telemetry collected from various sensors, including Cortex XDR agents on endpoints and data from firewalls. This dataset contains granular event logs such as process executions, network connections, file activities, and registry modifications. Security analysts use the XDR Query Language (XQL) to directly query this raw data for in-depth threat hunting, incident investigation, and the creation of custom detection rules.

Indicator of Compromise (IOC) hunting is a proactive security process focused on searching for known malicious artifacts within an environment. When building a hunting query in Cortex XDR using the Query Builder or XQL, the primary focus is on these specific indicators. These indicators are atomic pieces of evidence, such as known malicious file hashes (MD5, SHA256), IP addresses, or domain names associated with threat actors or malware campaigns. The query is constructed to search through endpoint and network data logs to find any matches for these IOCs, which would signify a potential compromise.

The Cortex XDR incident score is a numerical value from 0-100 designed to help analysts prioritize their work by indicating the potential risk of an incident. The score is influenced by two primary factors. First, the severity levels of the alerts within the incident are a key determinant, with the score being heavily weighted by the highest severity alert. Second, the number of correlated alerts that constitute the incident provides critical context about the scope and scale of the potential attack. A larger number of correlated alerts suggests a more widespread or persistent threat, which in turn influences the overall score and priority.