1. Home
    2. Cortex
    3. Cortex XDR
    4. Cortex XDR™ Pro Administrator’s Guide
    5. Investigation and Response
    6. Investigate Alerts
    7. Causality View

    Causality View

    See the causality of an alert—the entire process execution chain that led up to the alert in the Cortex XDR app.
    The
    Causality View
     provides a powerful way to analyze and respond to alerts. The scope of the Causality View is the
    Causality Instance (CI)
     to which this alert pertains. The Causality View presents the alert (generated by Cortex XDR or sent to Cortex XDR from a supported alert source such as the Cortex XDR agent) and includes the entire process execution chain that led up to the alert. On each node in the CI chain, Cortex XDR provides information to help you understand what happened around the alert.
    causality-view.png
    The Causality View comprises five sections:

    Context

    Summarizes information about the alert you are analyzing, including the host name, the process name on which the alert was raised, and the host IP and MAC address . For alerts raised on endpoint data or activity, this section also displays the endpoint connectivity status and operating system.

    Causality Instance Chain

    Includes the graphical representation of the Causality Instance (CI) along with other information and capabilities to enable you to conduct your analysis.
    The Causality View presents a single CI chain. The CI chain is built from processes nodes, events, and alerts. The chain presents the process execution and might also include events that these processes caused and alerts that were triggered on the events or processes. The Causality Group Owner (CGO) is displayed on the left side of the chain. The CGO is the process that is responsible for all the other processes, events and alerts in the chain. You need the entire CI to fully understand why the alert occurred.
    The Causality View provides an interactive way to view the CI chain for an alert. You can move it, extend it, and modify it. To adjust the appearance of the CI chain, you can enlarge/shrink the chain for easy viewing using the size controls on the right. You can also move the chain around by selecting and dragging it. To return the chain to its original position and size, click causality-view-reset-icon.png in the lower-right of the CI graph.
    The process node displays icons to indicate when an RPC protocol or code injection event were executed on another process from either a local or remote host.
    • causality-injected-event.png Injected Node
    • causality-remote-ip.png Remote IP address
    Hover over a process node to display a Process Information pop-up listing useful information about the process. If available, the pop-up includes the process Analytics Profiles.
    causality-process-information-ribbon.png
    • Path
       of the process.
    • Command line
       of the process.
    • SHA256
       value of the process.
    • Username
       of the user that initiated the process.
    • Signature
       associated with the process, if available.
    • WildFire
       verdict, if available.
    • Running time
       of the process.
    From any process node, you can also right-click to display additional actions that you can perform during your investigation:
    • Show parents and children
      —If the parent is not presented by default, you can display it. If the process has children, XDR app displays the number of children beneath the process name and allows you to display them for additional information.
    • Hide branch
      —Hide a branch from the Causality View.
    • Add to block list or allow list, terminate, or quarantine a process
      —If after investigating the activity in the CI chain, you want to take action on the process, you can select the desired action to allow or block process across your organization.
      In the causality view of a
      Detection (Post Detected)
       type alert, you can also
      Terminate process by hash
      .
    • Depending on the type of node—file, process, or IP address—open the artifact view:
      • Open Hash View
         to display detailed information about the files and processes relating to the hash.
      • Open IP View
         to display detailed information about the IP address.

    Entity Data

    Provides additional information about the entity that you selected. The data varies by the type of entity but typically identifies information about the entity related to the cause of the alert and the circumstances under which the alert occurred.
    For example, device type, device information, remote IP address.
    When you investigate command-line arguments, click
    {***}
     to obfuscate or decode the base64-encoded string.
    For continued investigation, you can copy the entire entity data summary to the clipboard.

    Response Actions

    You can choose to isolate the host, on which the alert was triggered, from the network or initiate a live terminal session to the host to continue investigation and remediation.

    Events Table

    Displays all related events for the process node which matches the alert criteria that were not triggered in the alert table but are informational .
    For the Behavioral Threat Protection table, right-click to add to allow list or block list, terminate, and quarantine a process.
    To view statistics for files on VirusTotal, you can pivot from the Initiator MD5 or SHA256 value of the file on the Files tab.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo