The network causality view shows a chain of individual network processes that together and in a particular sequence of operation triggered an alert.
Notice
Requires a Cortex XDR Pro license.
The network causality view provides a powerful way to analyze and respond to the stitched firewall and endpoint alerts. The scope of the network causality view is the Causality Instance (CI) to which this alert pertains. The network causality view presents the network processes that triggered the alert, generated by Cortex XDR, Palo Alto Networks next-generation firewalls, and supported alert source such as the Cortex XDR agent.
The network causality view includes the entire process execution chain that led up to the alert. On each node in the CI chain, Cortex XDR provides information to help you understand what happened around the alert. The CI chain visualizes the firewall logs, endpoint files, and network connections that triggered alerts connected to a security event.
Note
The network causality view displays only the information it collects from the detectors. It is possible that the CI may not show some of the firewall or agent processes.
The network causality view comprises the following sections: