Timeline View - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

From the Cortex XSIAM tenant you can view the sequence (or timeline) of events and alerts that are involved in any particular threat.

The Timeline provides a forensic timeline of the sequence of events, alerts, and informational BIOCs and Correlation Rules involved in an attack. While the Causality View of an alert surfaces related events and processes that Cortex XSIAM identifies as important or interesting, the Timeline displays all related events, alerts, and informational BIOCs and Correlation Rules over time.


The Timeline View is not available when investigating cloud Cortex XSIAM alerts and Cloud Audit Logs or SaaS-related alerts for 501 audit events, such as Office 365 audit logs and normalized logs. Only the applicable Cloud Causality View and SaaS Causality View is available for this data.

Cortex XSIAM presents the Timeline in four parts:



CGO (and process instances that are part of the CGO)

Cortex XSIAM displays the Causality Group Owner (CGO) and the host on which the CGO ran in the top left of the timeline. The CGO is the parent process in the execution chain that Cortex XSIAM identified as being responsible for initiating the process tree. In the example above, wscript.exe is the CGO and the host it ran on was HOST488497. You can also click the blue corner of the CGO to view and filter related processes from the Timeline. This will add or remove the process and related events or alerts associated with the process from the Timeline.


By default, Cortex XSIAM displays a 24-hour period from the start of the investigation and displays the start and end time of the CGO at either end of the timescale. You can move the slide bar to the left or right to focus on any time-gap within the timescale. You can also use the time filters above the table to focus on set time periods.


Depending on the type of activities involved in the CI chain of events, the activity section can present any of the following three lanes across the page:

  • Alerts—The alert icon indicates when the alert occurred.

  • BIOCs and Correlation Rules—The category of the alert is displayed on the left (for example tampering or lateral movement). Each BIOC event also indicates a color associated with the alert severity. An informational severity can indicate something interesting has happened but there were not any triggered alerts. These events are likely benign but are byproducts of the actual issue.

  • Event Information—The event types include process execution, outgoing or incoming connections, failed connections, data upload, and data download. Process execution and connections are indicated by a dot. One dot indicates one connection while many dots indicates multiple connections. Uploads and Downloads are indicated by a bar graph that shows the size of the upload and download.

The lanes depict when the activity occurred and provide additional statistics that can help you investigate. For BIOC, Correlation Rules, and Alerts, the lanes also depict activity nodes, highlighted with their severity color: high (red), medium (yellow), low (blue), or informational (gray), and provide additional information about the activity when you hover over the node.

Related events, alerts, and informational BIOCs

Cortex XSIAM displays up to 100,000 alerts, BIOCs and Correlation Rules (triggered and informational), and events. Click on a node in the activity area of the Timeline to filter the results you see here. Similar to other pages in Cortex XSIAM , you can create filters to search for specific events.