SaaS Causality View - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn more about the SaaS Causality View used to identify and investigate SaaS-specific data associated with SaaS-related alerts and SaaS Audit Logs.

The SaaS Causality View provides a powerful way to analyze and investigate software-as-a-service (SaaS) related alerts for audit stories, such as Office 365 audit logs and normalized logs, by highlighting the most relevant events and alerts associated with a SaaS-related alert. To help you identify and investigate SaaS-specific data associated with SaaS-related alerts and SaaS Audit Logs, Cortex XSIAM displays a SaaS Causality View, which enables you to swiftly investigate a SaaS alert by displaying the series of events and artifacts that are shared with the alert.

A SaaS Causality View is only available when Cortex XSIAM is configured to collect SaaS Audit Logs and data. For example, this is possible by configuring an Office 365 data collector or Google Workspace data collector with the applicable SaaS Audit logs. This enables you to investigate any Cortex XSIAM alerts generated from any IOC, BIOC, or Correlation Rules, including SaaS events. The SaaS Causality View is available from either the Alerts table or from the Query Results after running a query on the SaaS related data in XQL Search. From both of these places, you can pivot (right-click) to the SaaS Causality View from any row in the table and selecting Investigate Causality ChainOpen Card in new tab or Investigate Causality ChainOpen Card in same tab.Ingest Logs from Microsoft Office 365

The scope of the SaaS Causality View is the Causality Instance (CI) of an event to which this alert pertains. The SaaS Causality View presents the event identity and /or IP address and the actions performed by the identity on the SaaS resource. On each node in the CI chain, Cortex XSIAM provides information to help you understand what happened around the event.

The SaaS Causality View contains the following sections:


Summarizes information about the alert you are analyzing, including the type of SaaS Provider, Project, and Region on which the event occurred. Select View Raw Log to view the raw log as provided by the SaaS Provider in JSON format.

SaaS Causality Instance Chain

Includes the graphical representation of the SaaS Causality Instance (CI) along with other information and capabilities to enable you to conduct your analysis.

The SaaS Causality View presents a single event CI chain. The CI chain is built from Identity and Resource nodes. The Identity node represents for example keys, service accounts, and users, while the Resource node represents for example network interfaces, storage buckets, or disks. When available, the chain can also include an IP address and alerts that were triggered on the Identity and SaaS Resource.

The SaaS Causality View provides an interactive way to view the CI chain for an alert. You can move it, extend it, and modify it. To adjust the appearance of the CI chain, you can enlarge/shrink the chain for easy viewing using the size controls on the right. You can also move the chain around by selecting and dragging it. To return the chain to its original position and size, click causality-view-reset-icon.png in the lower-right of the CI graph.

  • Identity Node: Displays the name of the identity, generated alert information, and if available the associated IP address.

    To further investigate the user:

    1. Hover over an Identity node to display, if available, the identity Analytics Profiles.

    2. Select the Identity node to display in the Entity Data section additional information about the Identity entity.

    3. Select the Alert icon to display in the Entity Data section additional information about the alert.

  • IP Address Node: Displays the IP address associated with the Identity.

  • Resource Node: Displays the referenced resource on which the operation was performed. Cortex XSIAM displays information on the following resources.


    Type of Resource


    Google Workspace Admin Console


    Google Workspace for Google Drive


    Microsoft Office 365 Exchange Online


    Microsoft 365 Office Groups


    Microsoft Office 365 OneDrive


    Microsoft Office 365 SharePoint Online


    Microsoft Office 365 Skype for Business


    Microsoft Office 365 Teams

    To further investigate the resource:

    1. Hover over a Resource node to display, if available, the resource Analytics Profiles and Resource Editors statistics.

    2. Select the Resource node to display in the Entity Data section additional information about the Resource entity.

Entity Data

Provides additional information about the entity that you selected. The data varies by the type of entity but typically identifies information about the entity related to the cause of the alert and the circumstances under which the alert occurred.

Alerts and All Events Table Tabs

The All Events table displays up to 100,000 related events, while the Alerts table, if available, displays up to 1,000 related alerts.

To continue the investigation, in the Alerts table, you can perform the following actions from the right-click pivot menu:

  • Change Status of the associated alert.

  • Change Severity of the associated alert.

  • Investigate Causality Chain of the associated alert.

  • Open in XQL to populate the event in an XQL search query that you can further refine if needed.

  • Manage Alert to perform available actions.

  • Pivot to views to view the related incidents.

In the All Events table, Cortex XSIAM displays detailed information about each of the related events. To simplify your investigation, Cortex XSIAM scans your Cortex XSIAM data aggregating the events that have the same Identity or Resource and displays the entry with an cloud-causality-aggregated-events.png aggregated icon. Right-click and select Show Grouped Events to view the aggregated entries.

Entries highlighted in red indicate that the specific event triggered an alert. To continue the investigation, right-click to View in XQL.