Causality icons key - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation
Product
Cortex XDR
License
XDR + Cloud
Creation date
2025-07-13
Last date published
2026-06-11
Category
Administrator Guide

The following tables describe the causality chain icons, broken down by type:

Action icons

Causality action icons mark the actions that were taken on a process or event. Pending actions are shown with a dotted line.

Icon

Description

Blacklist__action_icon_.png
Blacklist_-_pending__action_icon_.png

Blocklist

Quarantine__action_icon_.png
Quarantine_-_pending__action_icon_.png

Quarantine

Whitelist__action_icon_.png
Whitelist_-_pending__action_icon_.png

Allowlist

Causality alert icons

Causality alert icons indicate the type of alert that was triggered.

Icon

Description

3rd_party__causality_alert_icon_.png

3rd party

Agent__causality_alert_icon_.png

XDR Agent

Analytics__causality_alert_icon_.png

Analytics

BIOC__causality_alert_icon_.png

BIOC

Firewall__causality_alert_icon_.png

Firewall

General_alert__causality_alert_icon_.png

General alert

Identity_analytics__causality_alert_icon_.png

Identity analytics

IOC__causality_alert_icon_.png

IOC

Example 100. 

A number next to the alert icon indicates that there are multiple alerts. This icon show that there are three alerts and the selected alert is a BIOC alert. You can scroll through the alerts in the Information Overview.

Muliple_BIOC_alerts.png

Cloud event icons

Cloud event icons indicate the type of cloud event or process.

Icon

Description

Cloud_admin__cloud_event_icon_.png

Cloud admin

Compute_disks__cloud_event_icon_.png

Compute disks

Compute_instances__cloud_event_icon_.png

Compute instances

Container_escaped__cloud_event_icon_.png

Container escaped

Drive__cloud_event_icon_.png

Drive

Exchange__cloud_event_icon_.png

Exchange

General_resource__cloud_event_icon_.png

General resource

Groups__cloud_event_icon_.png

Groups

Images__cloud_event_icon_.png

Images

Network_interfaces__cloud_event_icon_.png

Network

Onedrive__cloud_event_icon_.png

Onedrive

Security_groups-_FW_rules__cloud_event_icon_.png

Security groups- FW rules

Sharepoint__cloud_event_icon_.png

Sharepoint

Skype__cloud_event_icon_.png

Skype

Storage_buckets__cloud_event_icon_.png

Storage buckets

Subnets__cloud_event_icon_.png

Subnets

Teams__cloud_event_icon_.png

Teams

VPCs__cloud_event_icon_.png

VPCs

Event icons

Event icons indicate the type of activity that occurred.

Icon

Description

DotNet__event_icon_.png

DotNet

Event_log__event_icon_.png

Event log

File__event_icon_.png

File

Firewall__event_icon_.png

Firewall

Host__event_icon_.png

Host

Host_group__event_icon_.png

Host group

Identity_analytics__event_icon_.png

Identity analytics

Internet__event_icon_.png

Internet

Malware_alert__event_icon_.png

Malware

Mobile__event_icon_.png

Mobile

Module_load__event_icon_.png

Module load

Multi-user__event_icon_.png

Multi-user

Network__event_icon_.png

Network

Potential_prevention__event_icon_.png

Potential prevention

Range__event_icon_.png

Range

Registry__event_icon_.png

Registry

Router__event_icon_.png

TCP Protocol

Server__event_icon_.png

Server

Unknown__event_icon_.png

Unknown event

User_session__event_icon_.png

User session

VOIP__event_icon_.png

VOIP

VPN__event_icon_.png

VPN

Left node icons

Left node icons provide additional information about a process.

Icon

Description

Injection__left_node_icon_.png

Injected node

Last_actor__left_node_icon_.png

Last actor

Remote_IP__left_node_icon_.png

Remote terminal session

RPC__left_node_icon_.png

RPC

Unknown_process__left_node_icon_.png

Unknown process

Node icons

Node icons indicate the type of process or event that occurred in the chain.

Icon

Description

Adobe__node_icon_.png

Adobe

Attachment__node_icon_.png

Attachment

Chrome__node_icon_.png

Chrome

Cloud__node_icon_.png

Remote IP Address

Email__node_icon_.png

Email

Endpoint__node_icon_.png

Endpoint

Excel__node_icon_.png

Excel

Firefox__node_icon_.png

Firefox

Generic_process__node_icon_.png

Generic process

Internet_Explorer__node_icon_.png

Internet Explorer

IP__node_icon_.png

IP address

Link__node_icon_.png

Link

mySQL__node_icon_.png

mySQL

Outlook__node_icon_.png

Outlook

Powerpoint__node_icon_.png

Powerpoint

Putty__node_icon_.png

Putty

Sender__node_icon_.png

Sender

Unknown__node_icon_.png

Unknown

User__node_icon_.png

User

Word__node_icon_.png

Word

Other icons

Icons

Description

Benign.png

Benign

Container.png

Container

CGO__text_icon_.png

Causality Group Owner (CGO).

Default__other_icon_.png

Default

Grayware.png

Grayware

In-evaluation.png

In-evaluation

Malware.png

Malware

Quarantine__other_icon_.png

Quarantine

Still_running__text_icon_.png

Still running

Unknown_sample.png

Unknown sample

User__text_icon_.png

User

WF_Download__other_icon_.png

WF download

WF_Download_unsuccessful__other_icon_.png

WF download unsuccessful

Examples
Example 101.  

The following example shows a XDR Agent alert was triggered on a File.

Example_Agent_alert.png

Example 102.  

In this example, a NGFW alert was triggered on a TCP Protocol that called a remote IP address, that created an unknown process.

Example_NGFW_alert.png

Example 103.  

In this example, the highlighted process node represents the real parent that executed the process. Click on the node for more details about the parent process. The pen icon on the first process nodes indicates that this process is "last actor". The syringe icon on the last process node indicates that this process is an "injected node".

Example_starting_process.png

Example 104.  

In this example, two alerts were triggered on an email that was sent to two recipients and included attachments and links.

Example_Email_alert.png