Learn more about the SaaS causality view used to identify and investigate SaaS-specific data associated with SaaS-related alerts and SaaS audit logs.
Notice
Requires a Cortex XDR Pro license.
The SaaS causality view provides a powerful way to analyze and investigate software-as-a-service (SaaS) related alerts for audit stories, such as Office 365 audit logs and normalized logs, by highlighting the most relevant events and alerts associated with a SaaS-related alert. To help you identify and investigate SaaS-specific data associated with SaaS-related alerts and SaaS audit logs, Cortex XDR displays a SaaS causality view, which enables you to swiftly investigate a SaaS alert by displaying the series of events and artifacts that are shared with the alert.
A SaaS causality view is only available when Cortex XDR is configured to collect SaaS audit logs and data. For example, this is possible by configuring an Office 365 data collector or Google Workspace data collector with the applicable SaaS audit logs. This enables you to investigate any Cortex XDR alerts generated from any IOC, BIOC, or correlation rules, including SaaS events. The SaaS causality view is available from the Alerts table, or from the Query Results after running a query on the SaaS related data. From both of these places, you can pivot (right-click) to the SaaS causality view from any row in the table and selecting → or → .
The scope of the SaaS causality view is the Causality Instance (CI) of an event to which this alert pertains. The SaaS causality view presents the event identity and /or IP address and the actions performed by the identity on the SaaS resource. On each node in the CI chain, Cortex XDR provides information to help you understand what happened around the event.
The SaaS causality view contains the following sections: