* [Blog](https://www2.paloaltonetworks.com/blog)
* [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/)
* [AI and Cybersecurity](https://www2.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/)
* Always on the Case: Intro...

# Always on the Case: Introducing the AgentiX Case Investigation Agent

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Falways-on-the-case-introducing-the-agentix-case-investigation-agent%2F)  
[](https://twitter.com/share?text=Always+on+the+Case%3A+Introducing+the+AgentiX+Case+Investigation+Agent&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Falways-on-the-case-introducing-the-agentix-case-investigation-agent%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Falways-on-the-case-introducing-the-agentix-case-investigation-agent%2F&title=Always+on+the+Case%3A+Introducing+the+AgentiX+Case+Investigation+Agent&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/always-on-the-case-introducing-the-agentix-case-investigation-agent/&ts=markdown)  
\[\](mailto:?subject=Always on the Case: Introducing the AgentiX Case Investigation Agent)  
Link copied  
By [Guy Liberman](https://www.paloaltonetworks.com/blog/author/guy-liberman/?ts=markdown "Posts by Guy Liberman")  
Mar 24, 2026  
4 minutes  
[AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown)  
[AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown)  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Agentic AI](https://www.paloaltonetworks.com/blog/tag/agentic-ai/?ts=markdown)  
[case management](https://www.paloaltonetworks.com/blog/tag/case-management/?ts=markdown)  
[Cortex](https://www.paloaltonetworks.com/blog/tag/cortex/?ts=markdown)  
[Security Automation](https://www.paloaltonetworks.com/blog/tag/security-automation/?ts=markdown)  
[security operations](https://www.paloaltonetworks.com/blog/tag/security-operations/?ts=markdown)

In the modern SOC, every second counts. As adversaries weaponize AI to move from initial access to full impact in as little as [72 minutes](https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report?utm_source=google-jg-amer-unit42-unrc-unpt&utm_medium=paid_search&utm_campaign=google-unit42-unit42_port-amer-multi-lead_gen-en-brand&utm_content=701Ki000000h65BIAQ&utm_term=palo%20alto%20unit%2042&cq_plac=&cq_net=g&gad_source=1&gad_campaignid=20369915902&gbraid=0AAAAADHVeKkuQrV9eAr1NHrKj2U1uaLUi&gclid=Cj0KCQiAk6rNBhCxARIsAN5mQLuxSfOCL-s6h5DQjfn1zO9XCkR_e-SnivbmhZLVh5cLU96lu4GUwioaAp-KEALw_wcB), analysts need to be faster than ever when it comes to deciphering cases and their impact on the organization.

Meet your new SOC teammate: the *Case Investigation Agent* . Accessed via the Cortex Agentic Assistant, the *Case Investigation Agent* is a context-aware companion that combines deep domain expertise with proprietary intelligence to help your team close cases faster. It acts as your case expert, taking the guesswork out of triage, providing contextual assistance and reasoning through an investigation to tell you exactly what happened and how to fix it.

## ​​\*\*"Crime-Scene" Reconstruction\*\*

When an analyst opens a case, the first question is always: What am I looking at? Each case comes with an AI-generated *case summary*, providing security analysts with an immediate debrief and helping them quickly grasp the case's scope and set a clear starting point for their investigation. As an investigation evolves, the case context is updated. Each time new data or issues are added, the system regenerates the description to reflect the most current information available.

## **Operationalizing AI in Your Case Investigation**

Once you have an overview of the case from the *case summary*, you want to expand the scope of the investigation. You can chat with the agent about the case. Some example prompts include:

* "How are these entities related to the case?"
* "Tell me more about these artifacts and indicators identified in this case."
* "Provide a detailed summary of the case."

The Case Investigation Agent doesn't just answer; it can act. It enables you to efficiently explore, clarify, and gain deeper insights throughout your investigation. This ensures that even the most complex investigations remain manageable, transparent, and highly efficient.

The video below illustrates how an analyst might engage with the Case Investigation Agent.

An analyst is working on a case and needs to learn more about the indicators identified.

She asks the agent to tell him what it knows about the indicators in this case, enrich them, and provide a summary of key findings.

The agent doesn't just jump to an answer. It reasons through the request and shows exactly how it plans the solution step by step, including the actions and tools it will use.

The agent reviews the case indicators: files, IPs, URLs, and domains. It checks verdicts across connected threat intelligence sources and examines factors such as prevalence, first seen, last seen, and additional context.

It then organizes all the information into a clear summary, showing which indicators actually matter, which ones are malicious, and why.

The analyst gets information she can act on. But she wants to dig a bit deeper. So, she asks the agent to look at past data and identify when these indicators were detected in the system.

The agent goes to the raw data. It builds a query to search the last 30 days of logs for the same indicators. The analyst doesn't need to know XQL, Cortex's native query language, to obtain this information; the agent handles it for her.

From here, the analyst can decide how to proceed. She can ask the agent to gather more details on affected assets and asset groups, or she can instruct it to take action, such as isolating a host, disabling an impacted user, or escalating the case.

## **Case Closed**

In the high-stakes world of the modern SOC, the "golden hour" of incident response has shrunk to minutes. The Cortex AgentiX Case Investigation Agent is your tireless partner on the case. From the moment a case is opened, it acts as your digital forensic expert, reconstructing the "crime scene" with AI-driven summaries and translating complex queries into plain English. Whether it's unmasking a root cause or isolating a compromised host, the agent doesn't just suggest the next move. It helps you make it.

**Explore our Case Investigation Agent and other AI innovations in [Cortex AgentiX](https://www.paloaltonetworks.com/cortex/agentix) or contact us for a [demo](https://www.paloaltonetworks.com/cortex/request-demo) today and unlock the full potential of your SOC team!**

.

*** ** * ** ***

## Related Blogs

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Automation of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/automation-of-the-week/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

[#### Introducing the Cortex MCP Server](https://www2.paloaltonetworks.com/blog/security-operations/introducing-the-cortex-mcp-server/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Modernising the SOC: Navigating the Shift to Platformization and Agentic AI](https://www2.paloaltonetworks.com/blog/security-operations/modernising-the-soc-navigating-the-shift-to-platformization-and-agentic-ai/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Automation of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/automation-of-the-week/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### A Day in the Life with Your AgentiX Automation Engineer Agent](https://www2.paloaltonetworks.com/blog/security-operations/a-day-in-the-life-with-your-agentix-automation-engineer-agent/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Automation of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/automation-of-the-week/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Cortex AgentiX: A Behind-the-Scenes Perspective](https://www2.paloaltonetworks.com/blog/security-operations/cortex-agentix-a-behind-the-scenes-perspective/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### What's New in Cortex](https://www2.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### The SOC Is Now Agentic --- Introducing the Next Evolution of Cortex](https://www2.paloaltonetworks.com/blog/2026/02/soc-agentic-next-evolution-cortex/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language