drop cortex xdr incident export · parse alerts + investigation fields · runs locally
incidents · alerts · investigation timeline · local export only
heuristic screener · vendor schema varies · not definitive proof