https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/analytics-bioc-rules-causality-change-no-of-alerts-rising-but/m-p/485884#M1951 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/206384">@Cyber1985</a>&nbsp;It appears that you looking for guidance on how to <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-endpoint-alerts/analytics-alert-view" target="_self">investigate Analytics / Analytics BIOC alert sources</A>. From the Alert Table, you may right-click to "Investigate Causality Chain" to view the event table. In this view and depending on the analytics alert type, then you may have host, endpoint connection status, IP, MAC, account of interest (E.g. Username), Parent process ID located at the top left-hand corner of the causality view. If you click the red icon in the view, then you can view context about the alert. If you hover you mouse over the related processes in the causality, then you can review process and analytics profiles information to support your investigation. If you click on the processes in the casualty view, then you will be presented with all applicable actions (E.g. Process, Network, File, Network Connections).&nbsp;</P><P>&nbsp;</P><P>In the alert table, then you can also leverage "Pivot to View" options to conduct additional analysis on <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-artifacts-and-assets/investigate-a-user" target="_self">user</A> / <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-artifacts-and-assets/investigate-an-asset#idfaca1e70-0427-48e1-ac2d-315f94ab040b" target="_self">asset</A> in scope.&nbsp;</P> Mon, 09 May 2022 18:52:11 GMT WSeldenIII 2022-05-09T18:52:11Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/analytics-bioc-rules-causality-change-no-of-alerts-rising-but/m-p/485650#M1947 <P>Hello Admins,&nbsp;</P><P>&nbsp;</P><P>We use Analytics BIOC Rules. But where is the Causality Change? No of alerts rising, but where to see who, why and what?</P><P>&nbsp;</P><P>Thank you!&nbsp;</P><P>&nbsp;</P><P>BR</P><P>&nbsp;</P><P>Rob</P> Sun, 08 May 2022 23:30:27 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/analytics-bioc-rules-causality-change-no-of-alerts-rising-but/m-p/485650#M1947 Cyber1985 2022-05-08T23:30:27Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/analytics-bioc-rules-causality-change-no-of-alerts-rising-but/m-p/485731#M1949 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/206384">@Cyber1985</a>&nbsp;</P><P>you can go to the Incidents page, then to the alerts table there you can scroll to the right to see all the columns and fields populated, CGO (Causality Group Owner), paths, processes....</P><P>If you click on the 3 dots menu at the top right corner of the alerts table you will see more columns and fields that are not shown by default. You can select them and incorporate them to your view.&nbsp;</P><P>I believe that you'll find there all you'r looking for.&nbsp;</P><P>I hope this helps.</P><P>KR,</P><P>Luis</P><P>Just as an example:&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="eluis_0-1652082866383.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/40901iC43DBCEF3E03C499/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="eluis_0-1652082866383.png" alt="eluis_0-1652082866383.png" /></span></P><P>&nbsp;</P> Mon, 09 May 2022 08:58:03 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/analytics-bioc-rules-causality-change-no-of-alerts-rising-but/m-p/485731#M1949 eluis 2022-05-09T08:58:03Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/analytics-bioc-rules-causality-change-no-of-alerts-rising-but/m-p/485884#M1951 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/206384">@Cyber1985</a>&nbsp;It appears that you looking for guidance on how to <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-endpoint-alerts/analytics-alert-view" target="_self">investigate Analytics / Analytics BIOC alert sources</A>. From the Alert Table, you may right-click to "Investigate Causality Chain" to view the event table. In this view and depending on the analytics alert type, then you may have host, endpoint connection status, IP, MAC, account of interest (E.g. Username), Parent process ID located at the top left-hand corner of the causality view. If you click the red icon in the view, then you can view context about the alert. If you hover you mouse over the related processes in the causality, then you can review process and analytics profiles information to support your investigation. If you click on the processes in the casualty view, then you will be presented with all applicable actions (E.g. Process, Network, File, Network Connections).&nbsp;</P><P>&nbsp;</P><P>In the alert table, then you can also leverage "Pivot to View" options to conduct additional analysis on <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-artifacts-and-assets/investigate-a-user" target="_self">user</A> / <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-artifacts-and-assets/investigate-an-asset#idfaca1e70-0427-48e1-ac2d-315f94ab040b" target="_self">asset</A> in scope.&nbsp;</P> Mon, 09 May 2022 18:52:11 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/analytics-bioc-rules-causality-change-no-of-alerts-rising-but/m-p/485884#M1951 WSeldenIII 2022-05-09T18:52:11Z