Network Causality View - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

The Causality View shows a chain of individual network processes that together and in a particular sequence of operation triggered an alert.

The Network Causality View provides a powerful way to analyze and respond to the stitched firewall and endpoint alerts. The scope of the Causality View is the Causality Instance (CI) to which this alert pertains. The Causality View presents the network processes that triggered the alert, generated by Cortex XDR, Palo Alto Networks next-generation firewalls, and supported alert source such as the Cortex XDR agent.

The network causality view includes the entire process execution chain that led up to the alert. On each node in the CI chain, Cortex XDR provides information to help you understand what happened around the alert.

The CI chain visualizes the firewall logs, endpoint files, and network connections that triggered alerts connected to a security event.


The network causality view displays only the information it collects from the detectors. It is possible that the CI may not show some of the firewall or agent processes.

The Network Causality View comprises five sections:




Summarizes information about the alert you are analyzing, including the host name, the process name on which the alert was raised, and the host IP address. For alerts raised on endpoint data or activity, this section also displays the endpoint connectivity status and operating system.

Host Isolation

You can choose to isolate the host, on which the alert was triggered, from the network or initiate a live terminal session to the host to continue investigation and remediation.

CI Chain

Includes the graphical representation of the Causality Instance (CI) along with other information and capabilities to enable you to conduct your analysis.

The Causality View presents a CI chain for each of the processes and the network connection. The CI chain is built from process nodes, events, and alerts. The chain presents the process execution and might also include events that these processes caused and alerts that were triggered by the events or processes. The Causality Group Owner (CGO) is displayed on the left side of the chain. The CGO is the process that is responsible for all the other processes, events, and alerts in the chain. You need the entire CI to fully understand why the alert occurred.

The Causality View provides an interactive way to view the CI chain for an alert. You can move it, extend it, and modify it. To adjust the appearance of the CI chain, you can enlarge/shrink the chain for easy viewing using the size controls on the right. You can also move the chain around by selecting and dragging it. To return the chain to its original position and size, click causality-view-reset-icon.png in the lower-right of the CI graph.

From any process node, you can also right-click to display additional actions that you can perform during your investigation:

  • Show parents and children—If the parent is not presented by default, you can display it. If the process has children, Cortex XDR displays the number of children beneath the process name and allows you to display them for additional information.

  • Hide branch—Hide a branch from the Causality View.

  • Add to block list or allow list, terminate, or quarantine a process—If after investigating the activity in the CI chain, you want to take action on the process, you can select the desired action on the process across your organization.

    In the causality view of a Detection (Post Detected) type alert, you can also Terminate process by hash.

When selecting the Network Appliance node in the Network Causality View, the event timestamp is now displayed in the Entity Data section of the card.

The color of a process node also correlates to the WildFire verdict.

  • Blue—Benign.

  • Yellow—Grayware.

  • Red—Malware.

  • Light gray—Unknown verdict.

  • Dark gray—The verdict is inconclusive.

    To view and download the WildFire report, in the Entity Data section, click view-icon.png.

Entity Data

Provides additional information about the entity that you selected. The data varies by the type of entity but typically identifies information about the entity related to the cause of the alert and the circumstances under which the alert occurred.

Events Table

Displays all related events for the process node which match the alert criteria that were not triggered in the alert table but are informational. You can also export the table results to a tab-separated values (TSV) file.

For the Behavioral Threat Protection table, right-click to add to allow list or block list, terminate, and quarantine a process.


To view statistics for files on VirusTotal, you can pivot from the Initiator MD5 or SHA256 value of the file on the Files tab.