Analyze an alert - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Learn more about analyzing alerts in the alert side panel, alert investigation view, and the causality view.

To help you understand the full context of an alert, Cortex XSIAM provides the alert side panel, alert investigation view, and the causality view that enable you to quickly make a thorough analysis.

The causality view is available for XDR agent alerts that are based on endpoint data and for alerts raised on network traffic logs that have been stitched with endpoint data. In addition, you can use the cloud causality view to analyze cloud Cortex XSIAM alerts and cloud audit logs. While the SaaS causality view enables you to analyze and investigate software-as-a-service (SaaS) related alerts for audit stories, such as Office 365 audit logs and normalized logs.

How to view alert analysis
  1. From the Alerts page, locate the alert you want to analyze.

  2. Click the alert and review the information in the alert side panel. If you want to see more information about the alert, click Investigate to open the alert investigation panel.

  3. Right-click anywhere in the alert, and select Investigate Causality Chain.

    You can also view the causality chain over time using the Timeline view.

  4. Review the chain of execution and available data for the process and, if available, navigate through the process tree.