FAQ on Graph Search - Answer some frequently asked questions relating to Graph Search. - Administrator Guide - Cortex

FAQ on Graph Search - Answer some frequently asked questions relating to Graph Search. - Administrator Guide - Cortex - Cortex CLOUD

Cortex Cloud Posture Management Documentation

Product

Cortex Cloud Application Security > Cortex CLOUD

License

Cloud Posture Management

Creation date

2025-01-22

Last date published

2026-06-04

Prerequisite

Graph Search requires View or View/Edit RBAC permissions for Graph Search under Investigation & Response → Search.

Here are a number of Frequently Asked Questions (FAQ) about Graph Search:

Question 1: What data is currently searchable in Graph Search?

Answer 1: For this release, a number of assets and findings are supported. For the upcoming releases we will roll out more assets and provide the ability to model new services. For more information on the supported assets and findings, see Supported assets and findings.

Question 2: Can the Graph Search results be exported and in what formats?

Answer 2: For this release, you can export the Graph Search results to a PNG, SVG, and TSV file.

Question 3: Can the Graph Search results be grouped in the output?

Answer 3: Yes, there are two types of groupings possible - automatic groupings and manual groupings that you can apply to the graph results displayed.

Nodes are automatically grouped together to keep the graph looking cleaner and less busy. Nodes are grouped together when there are at least five nodes that meet the following conditions:

The node isn't a root node.
The path is identical.
For asset nodes, the nodes have the same class and category type.
For finding nodes, the nodes have the same category type.

A grouped node icon is displayed as a duplicate node. For example, if it's a group node, the icon looks like two shapes, one on top of another. When you select the group node, a dialog box opens displaying all the nodes included in the group.

When reviewing the graph results of any Graph Search query, you can use the Group nodes icon to group by the Cloud Provider, Cloud Account, or Cloud Region. Selecting one of these grouping enables you to view the graph results in an aggregated format, providing a clearer and more organized perspective of the data. This feature also helps to Identify patterns and trends more easily in your data by grouping similar entities together. In the future, the Group nodes feature will be expanded to enable additional groupings.

Question 4: How are the Graph Search query results displayed?

Answer 4: The query results are displayed in a graph (default) or table format. In a graph format the paths on the graph that matched the node types and conditional attributes in the query are displayed. Each result is a full path of the matching query. Yet, in a table format the results are displayed in a table, where each row in the table represents a different path in the graph that goes through all the matching node types and attributes as they appear in the Graph Search query. You can view the full asset information of any cell in the table by clicking the cell. Every asset and finding table shows different default columns.

Question 5: Are there any built-in manipulations to the query results that I can apply or are automatically displayed without having to update and rerun the Graph Search query?

Answer 5: Yes, the following are available:

On the right side of the graph results, there are different icons that can help you drilldown into your graph results. These two icons provide built-in manipulations without having to make any changes to your Graph Search query:
- : Use the layers icon to easily add or remove additional information to the graph without having to define these parameters in your Graph Search query. You can decide when to include these built-in layers, as needed. The following are available:
  - Public Exposure to the Internet: Tracks the asset nodes with internet exposure that could be targeted for external surface attacks by displaying the exposure path. A Globe node called Internet is added to the graph, which links all exposed asset nodes to this Globe node. You can expand this connection by clicking the + icon to reveal the full internet path to include, for example, the NIC, Subnet, and Gateway. In the exposure path, you can select each node, or hover on it and select More Info, you'll see more information displayed in a dialog box. You can click View Details to drill down even further on the asset node to display more information on the node depending on the data collected for that asset node selected. Internet paths are collapsed by default.
  - Related Cases: Displays the number of related Cases for each asset node with a breakdown by severity.
  - Runtime Events: Adds 100 most recent runtime events to the graph results, which are refreshed every hour. This enables you to investigate real-time activity and identify critical events, such as access to sensitive information typically contained in a storage bucket, which generate issues and cases. All the bucket nodes in the path include a runtime icon underneath and run an animation on all the bucket and virtual machine nodes. You can click the runtime icon to reveal more info, such as connection details and runtime events. Click Show Recent Events to display the Runtime Events table with more details on the last 100 events.
- : Use the Group nodes icon to group by the Cloud Provider, Cloud Account, or Cloud Region. Selecting one of these grouping enables you to view the graph results in an aggregated format, providing a clearer and more organized perspective of the data. This feature also helps to Identify patterns and trends more easily in your data by grouping similar entities together. In the future, the Group nodes feature will be expanded to enable additional groupings.
Vulnerability finding nodes automatically display under the node a breakdown of severity.

Question 6: Are Graph Search queries accessible from the Query Library and are there any built-in queries that come out-of-the-box to view?

Answer 6: Cortex Cloud provides as part of Graph Search a Query Library for saving and managing your own queries, queries shared with you, and built-in Graph Search queries provided by Palo Alto Networks to help illustrate how to build meaningful Graph Search queries on your data.