Which Cortex XDR capability extends investigations to an endpoint?

The correct answer is "Live Terminal." This capability is essential for extending investigations to an endpoint because it allows security teams to interact with the endpoint in real-time. Through Live Terminal, investigators can run commands, collect data, and perform live forensics directly on the host machine, which is crucial for responding to and understanding potential threats or breaches.

The functionality of Live Terminal allows for more in-depth investigation processes, as it provides immediate access to the endpoint's operating environment. This is particularly valuable when analyzing suspicious activities or confirming the presence of malware, as it helps in gathering critical evidence that may not be available through traditional logging or data collection methods.

Other capabilities, such as log stitching and causality chain, focus on correlating data and establishing the sequence of events in a broader context, rather than providing direct interaction with the endpoint. Sensors are essential for gathering data and monitoring, but they do not offer the same level of investigatory access as Live Terminal does. Therefore, Live Terminal stands out as the capability that directly facilitates investigations at the endpoint level.