Gain insight into why issues were grouped in a case.
The Grouping Graph is a visual representation of the logic used to group issues in a case. It provides transparency into why specific issues are linked, illustrating the relationships between data points and the underlying decision-making process of the analysis engine.
By revealing these connections, the graph offers key insights into the case narrative, visualizes the overall scope, and identifies common artifacts for investigation.
Cortex Cloud automatically matches issues and artifacts into a unified case based on a specific grouping logic. This allows you to resolve the entire scope of a case rather than treating detections in isolation. The logic is driven by the following factors:
Artifact association: Issues sharing core artifacts, for example the same file hash or IP.
Similarity clustering: Issues with similar detection patterns on the same entities.
Related entities: Detections on related assets occurring within a close timeframe or context.
Linked and merged issues: Issues that were manually linked to the case and merged issues.
Related issues are added to the case until a specific grouping threshold is met. In the Grouping Graph you can see whether case grouping is active or inactive. For more information about case grouping and case thresholds, see Case grouping.
The graph uses a structured hierarchy of edges and nodes to represent the primary elements of a case:
Component | Description |
|---|---|
Edges | Represent the relationship between graph entities to show why they were linked. Edges display as lines that link nodes and entities together. Each full line represents a direct relationship. The system defines three edge types:
Edges display as:
|
Case node | The central anchor node to which all other elements are connected. |
Issue nodes | Visualized with parent/child relationships to show how primary threats spawned secondary activities. |
Clusters | Groups of issues that are automatically clustered to keep the visual workspace organized, with details of the total issue count in the cluster and severity breakdown. Issues are clustered if they:
|
Artifacts | Represent artifacts that are linked to the issues in the case. Artifacts include user names, IPs, and causality chains. Causality chains link issues in the same causality chain to the case. |
You can interact with the graph to uncover deeper layers of data without leaving the case view:
Expand and break down: Click elements within the graph to expand clusters and view additional node details, such as severity, domains, and current status.
Review issues and artifacts: Hover over any entity in the graph to open a quick-view panel containing high-level details such as severity, domain, and current status. Hover over a cluster to see a breakdown of the severities contained within it.
Deep dive into issues: Click an issue node and select Open Issue to view a detailed issue card with granular details about the issue.
The following table breaks down the components in this example:
Label | Explanation |
|---|---|
1 | Solid edge linking the case node to the issue that initiated case creation. |
2 | The issue that initiated case creation. |
3 | Casualty chain related to the initial issue. |
4 | Cluster of issues. These issues are part of the same causality chain as the initial issue. You can see that there are 13 issues in the cluster, and their severity breakdown. |
5 | Broken edge linking to a cluster of issues that were manually linked to the case. This is indicated by the linked label. |
6 | User name related to one or more issues in the linked issues cluster. |
7 | Issue related to the user name. |
8 | Case grouping is inactive label. This indicates that the case is no longer accepting new matching issues, which happens when a case grouping threshold is met. For more information, see Case thresholds. |