Causality View
See the causality of an alert—the entire process execution
chain that led up to the alert in the Cortex XDR app.
The Causality View provides a powerful
way to analyze and respond to alerts. The scope of the Causality
View is the Causality Instance (CI) to which this alert
pertains. The Causality View presents the alert (generated by Cortex
XDR or sent to Cortex XDR from a supported alert source such as the
Cortex XDR agent) and includes the entire process execution chain
that led up to the alert. On each node in the CI chain, Cortex XDR
provides information to help you understand what happened around
the alert.
The Causality View comprises five sections:
Context
Summarizes information about the
alert you are analyzing, including the host name, the process name
on which the alert was raised, and the host IP and MAC address .
For alerts raised on endpoint data or activity, this section also
displays the endpoint connectivity status and operating system.
Causality Instance Chain
Includes the
graphical representation of the Causality Instance (CI) along with
other information and capabilities to enable you to conduct your
analysis.
The Causality View presents a single CI chain. The
CI chain is built from processes nodes, events, and alerts. The
chain presents the process execution and might also include events
that these processes caused and alerts that were triggered on the
events or processes. The Causality Group Owner (CGO) is displayed
on the left side of the chain. The CGO is the process that is responsible
for all the other processes, events and alerts in the chain. You
need the entire CI to fully understand why the alert occurred.
Causality
data is displayed as follows:
- Visualization of the branch between the CGO and the actor process of the alert/event.
- Display up to nine additional process branches that reveal alerts related to the alert/event. Branches containing alerts with the nearest timestamp to the original alert/event are displayed first.
- Causality cards that contain more causality data display aShowing Partial Causalityflag. You can manually add additional child or parent processes branches by right-clicking on the process nodes displayed in the graph.
The
Causality View provides an interactive way to view the CI chain
for an alert. You can move it, extend it, and modify it. To adjust
the appearance of the CI chain, you can enlarge/shrink the chain
for easy viewing using the size controls on the right. You can also
move the chain around by selecting and dragging it. To return the
chain to its original position and size, click
in the
lower-right of the CI graph.
in the
lower-right of the CI graph. The process node displays icons
to indicate when an RPC protocol or code injection event were executed
on another process from either a local or remote host.
Injected Node 
Remote IP address
Hover
over a process node to display a Process Information pop-up listing
useful information about the process. If available, the pop-up includes
the process Analytics Profiles.
- Pathof the process.
- Command lineof the process.
- SHA256value of the process.
- Usernameof the user that initiated the process.
- Signatureassociated with the process, if available.
- WildFireverdict, if available.
- Running timeof the process.
From
any process node, you can also right-click to display additional
actions that you can perform during your investigation:
- Show parents and children—If the parent is not presented by default, you can display it. If the process has children, Cortex XDR open a dialog displaying theChildrenProcess Start Time,Name,CMD, andUsernamedetails.
- Hide branch—Hide a branch from the Causality View.
- Add to block list or allow list, terminate, or quarantine a process—If after investigating the activity in the CI chain, you want to take action on the process, you can select the desired action to allow or block process across your organization.In the causality view of aDetection (Post Detected)type alert, you can alsoTerminate process by hash.
- Depending on the type of node—file, process, or IP address—open the artifact view:
- Open Hash Viewto display detailed information about the files and processes relating to the hash.
- Open IP Viewto display detailed information about the IP address.
- Initiate a remediation analysis.
Entity Data
Provides additional information
about the entity that you selected. The data varies by the type
of entity but typically identifies information about the entity
related to the cause of the alert and the circumstances under which
the alert occurred.
For example, device type, device information,
remote IP address.
When you investigate command-line arguments,
click
{***}
to obfuscate or decode the base64-encoded
string.For continued investigation, you can
copy the entire entity data summary to the clipboard.
Response Actions
You can choose to isolate
the host, on which the alert was triggered, from the network or
initiate a live terminal session to the host to continue investigation
and remediation.
Events Table
Displays up to 100,000 related
events for the process node which matches the alert criteria that
were not triggered in the alert table but are informational.
To
continue investigation, you can perform the following actions from
the right-click pivot menu:
- View in XQLto populate the event in an XQL search query that you can further refine, if needed.
- Addfrom the<path type>to malware profile allow listProcessandFiletable<path>fields. For example,target_process_path,src_process_path,file_path, oros_parent_path.
- For the behavioral threat protection results, you can take action on the initiator to add it to an allow list or block list, terminate it, or quarantine it.
- Revise the event results to see possible related events near the time of an event using an updated timestamp value toShow rows 30 days prioror30 days after.
To view statistics for files on VirusTotal,
you can pivot from the Initiator MD5 or SHA256 value of the file
on the Files tab.
