Causality view - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation
Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-02-13
Category
Administrator Guide
Abstract

See the causality of an alert—the entire process execution chain that led up to the alert in the Cortex XSIAM app.

The causality view provides an interactive visualization of a Causality Instance (CI) associated with the alert. On this view you can see the causality (cause and effect) of events of the entire process execution chain that led up to the alert.

By automating the dot-connection process, Cortex XSIAM helps you to streamline your investigations by providing immediate, actionable insights into security alerts and the related processes in the causality chain.

To open the casualty, right-click on an alert in the Incidents or Alerts pages. The causality view comprises the causality instance chain, Information overview, Forensics highlights, and the All Events table. Click on nodes on the causality chain to see details about each entity in the Information overview and All Events table. You can also take actions on the processes in the chain by clicking Actions or right-clicking a specific node.

The following sections describe the different areas of the causality view:

Causality instance chain

Includes the graphical representation of the Causality Instance (CI), built from process nodes, events, and alerts. The chain presents the process execution and might include events that the processes caused, and alerts that were triggered by the events or processes.

The Causality Group Owner (CGO) is displayed on the left side of the chain. The CGO is the process that is responsible for all the other processes, events, and alerts in the chain. You need the entire CI to fully understand why the alert occurred. The process node displays icons to indicate when an RPC protocol or code injection event was executed on another process from either a local or remote host.

  • causality-injected-event.png Injected Node

  • causality-remote-ip.png Remote IP address

Causality data is displayed as follows:

  • Visualization of the branch between the CGO and the actor process of the alert/event.

  • Displays up to nine additional process branches that reveal alerts related to the alert/event. Branches containing alerts with the nearest timestamp to the original alert/event are displayed first.

  • Causality cards that contain more causality data display a Showing Partial Causality flag. You can manually add additional child or parent processes branches by right-clicking on the process nodes displayed in the graph.

Navigation

You can move the chain, extend it, and modify it. To adjust the appearance of the CI chain, use the size controls on the right. You can also move the chain by selecting and dragging it. To return the chain to its original position and size, click causality-view-reset-icon.png in the lower-right of the CI graph.

Identity Threat data

When the Identity Threat Module is enabled, Cortex XSIAM displays the anomaly that triggered the alert against the backdrop of baseline behavior for some alerts. To see the profiles that are generated by the detector, Open Alert Visualization. Each tab displays the factors that triggered the alert, the event and the baseline information in tabular format or in timeline format, depending on the type of event. The graphs display the information in full mode, covering 30 days.

  • The tabular view displays the baseline behavior in a table, with the anomaly highlighted and in a separate line.

  • The timeline view displays the highlighted atypical value, and if applicable, the minimum, maximum, and average values, for the selected period.

Actions

Hover over a process node to display a Process Information pop-up listing useful information about the process. From any process node, you can also right-click to display additional actions that you can perform during your investigation:

  • Show parents and children: If the parent is not presented by default, you can display it. If the process has children, Cortex XSIAM opens a dialog displaying the Children Process Start Time, Name, CMD, and Username details.

  • Hide branch: Hide a branch from the causality view.

  • Add to block list or allow list, terminate, or quarantine a process: If after investigating the activity in the CI chain, you want to take action on the process, you can select the desired action to allow or block the process across your organization.

    In the causality view of a Detection (Post Detected) type alert, you can also Terminate process by hash.

Information overview

Summarizes information about the selected node in the causality chain.

If you select an alert node, you can see the alert name, source, timestamp, severity, the action taken, the tags assigned to it, and MITRE ATT&CK tactics and techniques identified. If more than one alert is available, you can scroll through the related alerts.

If you select a process node, you can see the path, parent Pid, Sha256, associated username, and MITRE ATT&CK details. You can also see the Wildfire Score and download the Wildfire report.

Forensics Highlights

Forensics Highlights serves as the central cockpit for investigating and navigating the entire causality view, offering a comprehensive breakdown of events, processes, and different activities to uncover and respond to potential threats with precision.

In each section, you can click on data points to highlight the related process in the CI. Forensic Highlights includes the following sections:

  • MITRE ATT&CK: Explore forensic insights aligned with the MITRE ATT&CK framework to correlate adversarial techniques with forensics data.

  • Script Engines: Delve into detailed activity logs of script engines to uncover potential execution of malicious scripts and code.

  • Alerts: Gain clarity on triggered alerts for the entire causality chain.

  • Process: Investigate process activities to identify unusual behavior or unauthorized process executions.

  • Network: Analyze forensic data related to network activities, highlighting potential threats in communication flows.

  • File: Uncover file-related forensic evidence to pinpoint suspicious file operations or unauthorized access.

  • Registry: Examine registry-level insights to detect tampering or malicious configuration changes.

  • System Calls: Track low-level system call activities for signs of exploitation or atypical behavior.

  • RPC Calls: Analyze RPC (Remote Procedure Call) forensic data to trace unauthorized remote operations.

All Events table

The All Events table displays up to 100,000 related events for the process node which matches the alert criteria that were not triggered in the alert table but are informational. The Prevention Actions tab displays the actions Cortex XSIAM takes on the endpoint based on the threat type discovered by the agent.

To continue the investigation, you can perform the following actions from the right-click pivot menu:

  • Add <path type> to malware profile allow list from the Process and File table. For example, target_process_path, src_process_path, file_path, or os_parent_path.

  • For the behavioral threat protection results, you can take action on the initiator to add it to an allow list or block list, terminate it, or quarantine it.

  • Revise the event results to see possible related events near the time of an event using an updated timestamp value to Show rows 30 days prior or 30 days after.

Tip

To view statistics for files on VirusTotal, you can pivot from the Initiator MD5 or SHA256 value of the file on the Files tab.