Learn more about the SaaS causality view used to identify and investigate SaaS-specific data associated with SaaS-related issues and SaaS audit logs.
The SaaS causality view provides a powerful way to analyze and investigate software-as-a-service (SaaS) related issues for audit stories, such as Office 365 audit logs and normalized logs, by highlighting the most relevant events and issues associated with a SaaS-related issue. To help you identify and investigate SaaS-specific data associated with SaaS-related issues and SaaS audit logs, Cortex Cloud displays a SaaS causality view, which enables you to swiftly investigate a SaaS issue by displaying the series of events and artifacts that are shared with the issue.
A SaaS causality view is only available when Cortex Cloud is configured to collect SaaS audit logs and data. For example, this is possible by configuring an Office 365 data collector or Google Workspace data collector with the applicable SaaS audit logs. This enables you to investigate any Cortex Cloud issue generated from any IOC, BIOC, or correlation rules, including SaaS events. The SaaS causality view is available from the Issues table, or from the Query Results after running a query on the SaaS related data. From both places, you can right-click to pivot to the SaaS causality view.
The scope of the SaaS causality view is the Causality Instance (CI) of an event to which this issue pertains. The SaaS causality view presents the event identity and /or IP address and the actions performed by the identity on the SaaS resource. On each node in the CI chain, Cortex Cloud provides information to help you understand what happened around the event.
The SaaS causality view contains the following sections:
Includes the graphical representation of the SaaS Causality Instance (CI) along with other information and capabilities to enable you to conduct your analysis.
The SaaS causality view presents a single event CI chain. The CI chain is built from Identity and Resource nodes. The Identity node represents for example keys, service accounts, and users, while the Resource node represents for example network interfaces, storage buckets, or disks. When available, the chain can also include an IP address and issues that were triggered on the Identity and SaaS resource.
Identity node: Displays the name of the identity, generated issue information, and if available the associated IP address.
IP address node: Displays the IP address associated with the Identity.
Resource node: Displays the referenced resource on which the operation was performed. Cortex Cloud displays information on the following resources.
Navigation
You can move the chain, extend it, and modify it. To adjust the appearance of the CI chain, use the size controls on the right. You can also move the chain by selecting and dragging it. To return the chain to its original position and size, click 
in the lower-right of the CI graph.
Displays up to 100,000 related events and up to 1,000 related issues. In the All Events table, Cortex Cloud displays detailed information about each of the related events. To simplify your investigation, Cortex Cloud scans your Cortex Cloud data aggregating the events that have the same Identity or Resource and displays the entry with an 
aggregated icon. Right-click and select Show Grouped Events to view the aggregated entries.
Entries highlighted in red indicate that the specific event created an issue. To continue the investigation, right-click to View in XQL. To continue the investigation, in the Issues table, right-click an issue to see the available actions.
The following table lists the SaaS resource icons:
Icon | Type of resource |
|---|---|
 | Google Workspace Admin Console |
 | Google Workspace for Google Drive |
 | Microsoft Office 365 Exchange Online |
 | Microsoft 365 Office Groups |
 | Microsoft Office 365 OneDrive |
 | Microsoft Office 365 SharePoint Online |
 | Microsoft Office 365 Skype for Business |
 | Microsoft Office 365 Teams |