Timeline View - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

The Timeline provides a forensic timeline of the sequence of events, alerts, and informational BIOCs and Correlation Rules involved in an attack. While the Causality View of an alert surfaces related events and processes that Cortex XDR identifies as important or interesting, the Timeline displays all related events, alerts, and informational BIOCs and Correlation Rules over time.


The Timeline View is not available when investigating cloud Cortex XDR alerts and Cloud Audit Logs or SaaS-related alerts for 501 audit events, such as Office 365 audit logs and normalized logs. Only the applicable Cloud Causality View and SaaS Causality View is available for this data.

Cortex XDR presents the Timeline in four parts:



CGO (and process instances that are part of the CGO)

Cortex XDR displays the Causality Group Owner (CGO) and the host on which the CGO ran in the top left of the timeline. The CGO is the parent process in the execution chain that Cortex XDR identified as being responsible for initiating the process tree. In the example above, wscript.exe is the CGO and the host it ran on was HOST488497. You can also click the blue corner of the CGO to view and filter related processes from the Timeline. This will add or remove the process and related events or alerts associated with the process from the Timeline.


By default, Cortex XDR displays a 24-hour period from the start of the investigation and displays the start and end time of the CGO at either end of the timescale. You can move the slide bar to the left or right to focus on any time-gap within the timescale. You can also use the time filters above the table to focus on set time periods.


Depending on the type of activities involved in the CI chain of events, the activity section can present any of the following three lanes across the page:

  • Alerts—The alert icon indicates when the alert occurred.

  • BIOCs and Correlation Rules—The category of the alert is displayed on the left (for example tampering or lateral movement). Each BIOC event also indicates a color associated with the alert severity. An informational severity can indicate something interesting has happened but there were not any triggered alerts. These events are likely benign but are byproducts of the actual issue.

  • Event Information—The event types include process execution, outgoing or incoming connections, failed connections, data upload, and data download. Process execution and connections are indicated by a dot. One dot indicates one connection while many dots indicates multiple connections. Uploads and Downloads are indicated by a bar graph that shows the size of the upload and download.

The lanes depict when the activity occurred and provide additional statistics that can help you investigate. For BIOC, Correlation Rules, and Alerts, the lanes also depict activity nodes, highlighted with their severity color: high (red), medium (yellow), low (blue), or informational (gray), and provide additional information about the activity when you hover over the node.

Related events, alerts, and informational BIOCs

Cortex XDR displays up to 100,000 alerts, BIOCs and Correlation Rules (triggered and informational), and events. Click on a node in the activity area of the Timeline to filter the results you see here. Similar to other pages in Cortex XDR , you can create filters to search for specific events.