Log Stitching is the "secret sauce" of the Cortex XDR platform. It is the automated process of taking raw, fragmented data from various sources—such as Palo Alto Networks Next-Generation Firewalls, Prisma Access, and Cortex XDR agents—and "stitching" them into a unified causality chain.

BIOC and Correlation Rules (B): Because log stitching links network activity (like a suspicious DNS request) directly to an endpoint process (like a specific cmd.exe instance), it allows analysts to write highly granular Behavioral Indicators of Compromise (BIOCs) . Without stitching, you could only write a rule for "Suspicious DNS" or "Suspicious Process." With stitching, you can write a rule for "Process X making Suspicious DNS request Y," which drastically reduces false positives.

Unified Investigation Queries (D): Log stitching enables the use of XQL to query across datasets simultaneously. An analyst can run a single query that returns a timeline showing exactly when a file was downloaded (Network Log) and the exact moment that file was executed on the host (Endpoint Log). This provides the "Full Picture" required for rapid root-cause analysis.

Why other options are incorrect:

Option A: Prevention and remediation are handled by the Cortex XDR Agent and Firewall security profiles . While stitching informs these actions by providing context, the act of stitching itself is a data processing function, not a prevention mechanism.

Option C: Custom scripts are part of the Response and Automation frameworks (Live Terminal or XSOAR/XSIAM playbooks). They are not a function or result of the log stitching process.