Analyze an alert - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide
Abstract

Learn more about analyzing alerts in the alert side panel and the causality view.

To help you understand the full context of an alert, Cortex XDR provides the alert side panel and the causality view that enable you to quickly make a thorough analysis.

The causality view is available for XDR agent alerts that are based on endpoint data and for alerts raised on network traffic logs that have been stitched with endpoint data.

How to view alert analysis
  1. From the Alerts page, locate the alert you want to analyze.

  2. Click the alert and review the information in the alert side panel. If you want to see more information about the alert, click Investigate to open the alert investigation panel.

  3. Right-click anywhere in the alert, and select Investigate Causality Chain.

    You can also view the causality chain over time using the Timeline view.

  4. Review the chain of execution and available data for the process and, if available, navigate through the process tree.