Includes the graphical representation of the Causality Instance (CI) along with other information and capabilities to enable you to conduct your analysis.
The view presents a single event CI chain. The CI chain is built from Identity and Resource nodes. The Identity node represents for example keys, service accounts, and users, while the Resource node represents for example network interfaces, storage buckets, or disks. When available, the chain might also include an IP address and alerts that were triggered on the Identity and Cloud Resource.
The causality view provides an interactive way to view the CI chain for an alert. You can extend the CI chain, modify it, and move the chain around by selecting and dragging it. You can also enlarge or shrink the chain by using the size controls. To return the chain to its original position and size, click in the lower-right of the CI graph.
Causality data is displayed as follows:
Identity node: Displays the name of the identity, generated alert information, and if available the associated IP address.
IP address node: Displays the IP address associated with the Identity.
Operations: Lists the type of operations performed by the identity on the cloud resources. Hover over the operation to display the original operation name as provided by the cloud Provider.
Cloud resource node: Displays the referenced resource on which the operation was performed. Cortex XDR displays information on the following resources:
To further investigate the resource:
Hover over a resource node to display, if available, the resource Analytics Profiles and Resource Editors statistics.
Select the resource node to display in the Entity Data section additional information about the resource entity.