The network causality view shows a chain of individual network processes that triggered an issue as part of a particular sequence of operation.
On the network causality view you can analyze and respond to stitched firewall and endpoint issues. On this view you can see the causality (cause and effect) of events of the entire process execution chain that led up to the issue. The network causality view presents the network processes that triggered the issue, generated by Cortex Cloud, Palo Alto Networks next-generation firewalls, and supported sources, such as 3rd party network sources.
On each node in the CI chain, Cortex Cloud provides information to help you understand what happened around the issue. The CI chain visualizes the firewall logs, endpoint files, and network connections that triggered issues connected to a security event.
Note
The network causality view displays only the information it collects from the detectors. It is possible that the CI may not show some of the firewall or agent processes.
The following sections describe the different areas of the network causality view:
Includes the graphical representation of the Causality Instance (CI) along with other information and capabilities to enable you to conduct your analysis.
The Causality View presents a CI chain for each of the processes and the network connection. The CI chain is built from process nodes, events, and issues. The chain presents the process execution and might also include events that these processes caused and issues that were triggered by the events or processes. The Causality Group Owner (CGO) is displayed on the left side of the chain. The CGO is the process that is responsible for all the other processes, events, and issues in the chain. You need the entire CI to fully understand why the issue occurred.
The color of a process node correlates to the WildFire verdict.
Navigation
You can move the chain, extend it, and modify it. To adjust the appearance of the CI chain, use the size controls on the right. You can also move the chain by selecting and dragging it. To return the chain to its original position and size, click 
in the lower-right of the CI graph.
Actions
Hover over a process node to display a Process Information pop-up listing useful information about the process. From any process node, you can also right-click to display additional actions that you can perform during your investigation:
Show parents and children: If the parent is not presented by default, you can display it. If the process has children, Cortex Cloud opens a dialog displaying the Children Process Start Time, Name, CMD, and Username details.
Hide branch: Hide a branch from the causality view.
Add to block list or allow list, terminate, or quarantine a process: If after investigating the activity in the CI chain, you want to take action on the process, you can select the desired action to allow or block the process across your organization.
In the causality view of a Detection (Post Detected) type issue, you can also Terminate process by hash.