Review the Evidence section of the Case card to see details of causalities and events.
Evidence consists of data generated by different sources to provide the how and why behind an issue. It provides the technical context necessary for effective action and remediation.
By mapping these dependencies, you can pinpoint exactly how a threat entered your environment and identify the specific actions taken at each stage of the attack. This insight helps you move beyond seeing what happened to understanding the attacker's path, enabling you to implement more effective containment and remediation strategies.
You can view evidence in the Evidence section of the case Overview, which provides a centralized, schema-based view of technical data and manual notes. You can also see issue specific evidence in the issue card.
Types of evidence
The type of evidence displayed depends on the problem found and will differ between domain, asset types, scanners, and other parameters. The following is a list of the most common types of evidence:
Causality chains: Sequences tracing events from root cause to final activity to identify attacker paths and actions.
Evidence events: Individual security events that triggered or contributed to the issue.
Standard evidence: Engine-generated JSON payloads containing technical details and specific findings (e.g., process command lines, file hashes, or digital signatures). Within certain configuration issues, evidence highlights misconfigurations and often provides the expected configuration values to help you to remediate the issue.
Timeline-based evidence: You can mark any timeline record as evidence to centralize findings in the Evidence tab. This includes the following record types:
System-generated records: Specific events or signals captured automatically by the security engine.
Manually created notes: Your added observations, query results, and uploaded files—such as screenshots, logs, or reports—supporting various formats including images (PNG, JPG, GIF) and text-based files (TXT, CSV, JSON).
Evidence lifecycle
The evidence lifecycle ensures that technical proof remains accurate and available from the moment an issue is identified until it is resolved and archived:
Registration and refresh: Evidence is registered at issue creation and refreshed at the same frequency as the issue to prevent data discrepancies.
Resolution and retention: Resolved issues retain a final snapshot of the evidence for auditing and data completeness. Evidence is a snapshot in time reflecting the state at the last update.
Update behavior: If a problem is fixed, the last snapshot is preserved; otherwise, evidence continues to update.
Using evidence in workflows and automation
Evidence is available for use in automated response and API-based retrieval.
Playbooks and quick actions
Use playbooks and quick actions to support your investigation:
Extract data for logic: Pull technical details directly into automated enrichment, containment, and decision-making workflows.
Pass payloads to commands: Use evidence data as input parameters for system commands to include technical proof in logs or external security tools.
Filter by evidence type: Request specific evidence categories to reduce processing overhead for targeted automation tasks.
Exporting and programmatic retrieval
You can export and retrieve evidence to support external analysis and compliance using the following methods:
Direct download: Manual attachments and files can be downloaded directly for offline use or specialized analysis.
Table export: Evidence and events can be exported via TSV or CSV formats from the console tables.
Evidence export use cases
Exporting evidence can support your investigation process:
Confirm detections: Use technical proof to resolve false-positive disputes and verify findings without manual endpoint logins (CWP).
Provide audit trails: Maintain a permanent, immutable record of the technical data and forensic context required for internal and external auditing.
Support external analysis: Export data to forensic tools to investigate events from multiple angles and generate post-incident reports.
Centralize response: Aggregate evidence across engines for a holistic, case-level view of security investigations.
Causality chain evidence
Issues include causality chains if they originate from endpoint data that allows tracking the specific processes. Causality chains are listed according to the Causality Group Owner (CGO), expand the CGO card you want to investigate. Each CGO card displays the CGO name, the following CGO event details, and the causality chain:
CGO name
Issue sources associated with the entire causality chain
Execution time of the causality chain
Number of issues that include the CGO according to severity.
Expand the causality chain to further investigate in the full Causality view. For more information, see Causality view.