Network Causality View
The Causality View shows a chain of individual network
processes that together and in a particular sequence of operation
triggered an alert.
The Network Causality View provides
a powerful way to analyze and respond to the stitched firewall and
endpoint alerts. The scope of the Causality View is the Causality
Instance (CI) to which this alert pertains. The Causality
View presents the network processes that triggered the alert, generated
by Cortex XDR, Palo Alto Networks next-generation firewalls, and
supported alert source such as the Cortex XDR agent.
The network causality view includes the entire process execution
chain that led up to the alert. On each node in the CI chain, Cortex
XDR provides information to help you understand what happened around
the alert.
The CI chain visualizes the firewall logs, endpoint files, and
network connections that triggered alerts connected to a security
event.
The network causality view displays only the information
it collects from the detectors. It is possible that the CI may not
show some of the firewall or agent processes.
The Network Causality View comprises five sections:
Section | Description |
|---|---|
Context | Summarizes information about the alert you
are analyzing, including the host name, the process name on which
the alert was raised, and the host IP address.
For alerts raised on endpoint data or activity, this section also
displays the endpoint connectivity status and operating system. |
Host Isolation | You can choose to isolate the host, on which
the alert was triggered, from the network or initiate a live terminal
session to the host to continue investigation and remediation. |
CI Chain | Includes the graphical representation of
the Causality Instance (CI) along with other information and capabilities
to enable you to conduct your analysis. The Causality View
presents a CI chain for each of the processes and the network connection.
The CI chain is built from processes nodes, events, and alerts.
The chain presents the process execution and might also include
events that these processes caused and alerts that were triggered
on the events or processes. The Causality Group Owner (CGO) is displayed
on the left side of the chain. The CGO is the process that is responsible
for all the other processes, events and alerts in the chain. You
need the entire CI to fully understand why the alert occurred. The
Causality View provides an interactive way to view the CI chain
for an alert. You can move it, extend it, and modify it. To adjust
the appearance of the CI chain, you can enlarge/shrink the chain
for easy viewing using the size controls on the right. You can also
move the chain around by selecting and dragging it. To return the
chain to its original position and size, click
in the
lower-right of the CI graph.From any process node, you can
also right-click to display additional actions that you can perform during
your investigation:
When selecting the
Network Appliance node in the Network Causality View, the event
timestamp is now displayed in the Entity Data section of the card. The
color of a process node also correlates to the WildFire verdict.
|
Entity Data | Provides additional information about the entity
that you selected. The data varies by the type of entity but typically
identifies information about the entity related to the cause of
the alert and the circumstances under which the alert occurred. |
Events Table | Displays all related events for the process
node which matches the alert criteria that were not triggered in
the alert table but are informational. You can also
export the table results to a tab-separated values (TSV) file. For
the Behavioral Threat Protection table, right-click to add to allow
list or block list, terminate, and quarantine a process. To view statistics for files on VirusTotal,
you can pivot from the Initiator MD5 or SHA256 value of the file
on the Files tab. |
.