Cloud Causality View

See the causality of a cloud type alert—the entire process execution chain that led up to the alert in the Cortex XDR app.
The Cloud Causality View provides a powerful way to analyze and respond to Cortex XDR alerts and Cloud Audit Logs. The scope of the Cloud Causality View is the Causality Instance (CI) of an event to which this alert pertains. The Cloud Causality View presents the event identity and /or IP address and the actions performed by the identity on the cloud resource. On each node in the CI chain, Cortex XDR provides information to help you understand what happened around the event.
The Causality View comprises of the following sections:


Summarizes information about the alert you are analyzing, including the type of Cloud Provider, Project, and Region on which the event occurred. Select
View Raw Log
to view the raw log as provided by the Cloud Provider in JSON format.

Causality Instance Chain

Includes the graphical representation of the Causality Instance (CI) along with other information and capabilities to enable you to conduct your analysis.
The Causality View presents a single event CI chain. The CI chain is built from Identity and Resource nodes. The Identity node represents for example keys, service accounts, and users, while the Resource node represents for example network interfaces, storage buckets, or disks. When available, the chain might also include an IP address and alerts that were triggered on the Identity and Cloud Resource.
Causality data is displayed as follows:
The Causality View provides an interactive way to view the CI chain for an alert. You can move it, extend it, and modify it. To adjust the appearance of the CI chain, you can enlarge/shrink the chain for easy viewing using the size controls on the right. You can also move the chain around by selecting and dragging it. To return the chain to its original position and size, click in the lower-right of the CI graph.
Identity Node
Displays the name of the identity, generated alert information, and if available the associated IP address.
To further investigate the user:
  1. Hover over a Identity node to display, if available, the identity
    Analytics Profiles
  2. Select the Identity node to display in the Entity Data section additional information about the Identity entity.
  3. Select the Alert icon to display in the Entity Data section additional information about the alert.
IP Address Node
Displays the IP address associated with the Identity.
Lists the type of operations performed by the identity on the cloud resources. Hover over the operation to display the original operation name as provided by the Cloud Provider.
Cloud Resource Node
Displays the referenced resource on which the operation was performed. Cortex XDR displays information on the following resources:
  • —Compute Instance Resource
  • —Disk Resource
  • —General Resource
  • —Image Resource
  • —Network Interface Resource
  • —Security Group (FW Rule) Resource
  • —Storage Bucket Resource
  • —Virtual Private Cloud (VPC) Resource
To further investigate the resource:
  1. Hover over a Resource node to display, if available, the resource
    Analytics Profiles
    Resource Editors
  2. Select the Resource node to display in the Entity Data section additional information about the Resource entity.

Entity Data

Provides additional information about the entity that you selected. The data varies by the type of entity but typically identifies information about the entity related to the cause of the alert and the circumstances under which the alert occurred.

Events Table

Displays up to 100,000 related events and up to 1,000 related alerts.
To continue investigation, in the
table, you can perform the following actions from the right-click pivot menu:
  • Investigate Causality Chain
    of the associated alert.
  • Open in XQL
    to populate the event in an XQL search query that you can further refine, if needed.
  • Manage Alert
    to perform available actions.
  • Pivot to views
    to view related incident.
In the
All Events
table, Cortex XDR displays detailed information about each of the related events. To simplify your investigation, Cortex XDR scans your Cortex XDR data aggregating the events that have the same Identity or Resource and displays the entry with an aggregated icon. Right-click and select
Show Grouped Events
to view the aggregated entries.
Entries highlighted in red indicate that the specific event triggered an alert. To continue investigation, right-click to
View in XQL

Recommended For You