This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

susekar
L4 Transporter
In response to tlmarques

‎02-10-2026 05:22 AM

Hello @tlmarques ,

 

Thank you for the response.

 

The evolution of the Cortex XDR interface from version 3.X to the current platform design focuses on a drill-down philosophy intended to provide a macro-level overview for immediate triage while housing deep forensic data within specific investigation views. While this may initially feel like it requires more clicks, several features are specifically designed to streamline access to logs and the overall “story” of an event.

 

Key UI Features for Faster Navigation

To reduce clicks and maintain context while investigating, customers should utilize the following interface capabilities:

Mailbox (Detail) View:
This layout splits the incident screen into two panes. The left pane lists incidents, while the right pane displays the details of the selected incident. This allows analysts to view incident context, alerts, and summaries without navigating away from the main list.

 

Forensics Highlights:
In the Causality Card view, the Forensics Highlight screen acts as a visual tool to categorize and emphasize the most critical artifacts such as alerts, files, domains, URLs, and IP addresses. This prevents analysts from having to search through complex process graphs for key data points.

 

Quick Launcher:
Available as an in-context shortcut from anywhere in the console, it allows users to search for information and perform common investigation tasks without manual menu navigation.

 

Accessing Detailed Logs and “Steps Taken”

To understand the specific steps an actor took (the micro view), analysts should leverage the following paths:

Causality Chain:
Instead of manually correlating individual log entries, Cortex XDR automatically connects events into a causality chain. This presents the sequence of activity—such as process execution, network connections, and file modifications—that led to an alert.

 

Alert Insights vs. Raw Data:

  • The Alert Insights page provides a simplified summary for rapid triage.

  • To access detailed telemetry or “important logs,” analysts can right-click an alert and select Investigate Causality Chain or View Correlated Events to jump directly into the raw XQL event data.

Debug Alert (Advanced):
For the most granular technical details, analysts can hold the Alt key while right-clicking an alert and selecting Debug Alert to view the underlying JSON structure.

 

Design Rationale

The current interface is built around the concept of causality, with the goal of presenting security events as a coherent story. By aggregating large volumes of telemetry into incidents and causality chains, the platform minimizes noise and helps analysts focus only on data that is relevant to the investigation.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks