See the causality of an alert—the entire process execution chain that led up to the alert in the Cortex XSIAM app.
The causality view provides a powerful way to analyze and respond to alerts. The scope of the causality view is the Causality Instance (CI) to which this alert pertains. The causality view presents the alert (generated by Cortex XSIAM or sent to Cortex XSIAM from a supported alert source such as the XDR agent) and includes the entire process execution chain that led up to the alert. On each node in the CI chain, Cortex XSIAM provides information to help you understand what happened around the alert.
The causality view comprises the following sections:
Summarizes information about the alert you are analyzing, including the host name, the process name on which the alert was raised, and the host IP and MAC address . For alerts raised on endpoint data or activity, this section also displays the endpoint connectivity status and operating system.
Includes the graphical representation of the Causality Instance (CI) along with other information and capabilities to enable you to conduct your analysis.
The causality view presents a single CI chain. The CI chain is built from process nodes, events, and alerts. The chain presents the process execution and might also include events that these processes caused and alerts that were triggered by the events or processes. The Causality Group Owner (CGO) is displayed on the left side of the chain. The CGO is the process that is responsible for all the other processes, events, and alerts in the chain. You need the entire CI to fully understand why the alert occurred.
Note
There are no CGOs in the cloud causality view, when investigating cloud Cortex XSIAM alerts and cloud audit logs, or SaaS causality view, when investigating SaaS-related alerts for 501 audit events, such as Office 365 audit logs and normalized logs.
Causality data is displayed as follows:
Visualization of the branch between the CGO and the actor process of the alert/event.
Display up to nine additional process branches that reveal alerts related to the alert/event. Branches containing alerts with the nearest timestamp to the original alert/event are displayed first.
Causality cards that contain more causality data display a Showing Partial Causality flag. You can manually add additional child or parent processes branches by right-clicking on the process nodes displayed in the graph.
The causality view provides an interactive way to view the CI chain for an alert. You can move it, extend it, and modify it. To adjust the appearance of the CI chain, you can enlarge/shrink the chain for easy viewing using the size controls on the right. You can also move the chain around by selecting and dragging it. To return the chain to its original position and size, click in the lower-right of the CI graph.
Click an alert to display its name, source, timestamp, timestamp, severity, the action taken, the tags assigned to it, and description.
When the Identity Threat Module is enabled, Cortex XSIAM displays the anomaly that triggered the alert against the backdrop of baseline behavior for some alerts. To see the profiles that are generated by the detector, Open Alert Visualization. Each tab displays the factors that triggered the alert, the event and the baseline information in tabular format or in timeline format, depending on the type of event. The graphs display the information in full mode, covering 30 days.
The tabular view displays the baseline behavior in a table, with the anomaly highlighted and in a separate line.
The timeline view displays the highlighted atypical value, and if applicable, the minimum, maximum, and average values, for the selected period.
The process node displays icons to indicate when an RPC protocol or code injection event was executed on another process from either a local or remote host.
Injected Node
Remote IP address
Hover over a process node to display a Process Information pop-up listing useful information about the process. From any process node, you can also right-click to display additional actions that you can perform during your investigation:
Show parents and children: If the parent is not presented by default, you can display it. If the process has children, Cortex XSIAM opens a dialog displaying the Children Process Start Time, Name, CMD, and Username details.
Hide branch: Hide a branch from the causality view.
Add to block list or allow list, terminate, or quarantine a process: If after investigating the activity in the CI chain, you want to take action on the process, you can select the desired action to allow or block the process across your organization.
In the causality view of a Detection (Post Detected) type alert, you can also Terminate process by hash.
Provides additional information about the entity that you selected. The data varies by the type of entity but typically identifies information about the entity related to the cause of the alert and the circumstances under which the alert occurred.
For example, device type, device information, and remote IP address.
When you investigate command-line arguments, click {***} to obfuscate or decode the base64-encoded string.
For continued investigation, you can copy the entire entity data summary to the clipboard.
You can choose to isolate the host, on which the alert was triggered, from the network or initiate a live terminal session to the host to continue investigation and remediation.
The All Events table displays up to 100,000 related events for the process node which matches the alert criteria that were not triggered in the alert table but are informational. The Prevention Actions tab displays the actions Cortex XSIAM takes on the endpoint based on the threat type discovered by the agent.
To continue the investigation, you can perform the following actions from the right-click pivot menu:
Add <path type> to malware profile allow list from the Process and File table. For example, target_process_path, src_process_path, file_path, or os_parent_path.
For the behavioral threat protection results, you can take action on the initiator to add it to an allow list or block list, terminate it, or quarantine it.
Revise the event results to see possible related events near the time of an event using an updated timestamp value to Show rows 30 days prior or 30 days after.
Tip
To view statistics for files on VirusTotal, you can pivot from the Initiator MD5 or SHA256 value of the file on the Files tab.