Create an automation rule - Learn how to create an automation rule for an issue. - Administrator Guide - Cortex XDR - Cortex

Create an automation rule - Learn how to create an automation rule for an issue. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation

Product

Cortex XDR

License

XDR + Cloud

Creation date

2025-07-13

Last date published

2026-06-04

Note

In addition to the Automation Rules feature, the XDR Automation menu item is available if you migrated from Cortex XDR 3.x to Cortex XDR 5.x and had rules configured in your previous environment.

Location: These legacy rules are located under Investigation & Response → Automation → XDR Automation.
Operational but read-only: Existing rules from your Cortex XDR 3.x environment continue to function as originally configured, but they are now read-only. You cannot edit existing legacy rules or create new rules within this section.
Migration: We recommend transitioning your legacy automation logic to the new Automation Rules, found under Investigation & Response → Automation → Automation Rules.
Functional difference: Legacy XDR Automation rules allowed for multiple independent actions to be assigned to a single trigger. In contrast, the new Automation Rules trigger a single Playbook or Quick Action per issue.

When working with automation rules, consider how object-level access affects visibility and configuration:

Role permissions for rules: To create automation rules or edit existing ones that trigger Quick Actions and playbooks, you must have Scripts and Playbooks enabled in your role (under Investigation & Response → Automations with Edit Public Playbooks selected).
Rule visibility vs. playbook access: You can view all automation rules in the list, including those configured to trigger playbooks you do not have access to. This ensures full visibility into the order and logic of automated workflows in your environment.
Playbook selection: While all rules are visible, you can only select a playbook ito which you have at least Viewer access.

If certain options are unavailable, contact your administrator. For more information, see Manage access to playbooks and scripts.

Target issues: Automation rules apply to Medium and higher severity issues. They also apply to Low severity Analytic issues and Low severity ABIOC issues that are tagged with Identity or Cloud.
Evaluation order: Rules are evaluated in order, and only the first rule that matches the trigger conditions is executed.
Trigger timing: Automation rules trigger only upon the initial ingestion of an issue. Subsequent updates will not re-trigger the rule, even if the issue still meets the criteria.
Structure: The rules consist of three parts:
- WHEN: Stands for the trigger type. WHEN is set to Issue is created.
- IF: Stands for the conditions that need to be met for the rule to run.
- THEN: The automation that the user wants to execute: playbook, Quick action, or agent.

In the Automation Rules page, you can create or edit an automation rule, use recommended automation rules, edit a playbook, and change the order of priority. You can also delete or disable/enable an automation rule. When you disable an automation rule, the automation does not run for the selected condition.

Note

You can also define the conditions that trigger a specific playbook in the playbook editor. For more information, see Task 2. Configure playbook settings

Create an automation rule for issues where conditions from the automation rule are met, so that the automation, whether it is a Quick Action or a playbook, automatically runs.

For example, if the IF condition is severity=critical and the Then action is the Quick Action - Create Jira Ticket, the automation rule is triggered when a critical severity issue is detected, and then the Jira ticket is created.

Select Investigation & Response → Automation → Automation Rules.
Click Add Automation Rule or right-click a rule, select Edit rule, or click the edit button.
Enter a rule name.
(Optional) Provide a short description of the rule.
(Optional) Change the rule status. A rule can be enabled or disabled.
Define the rule conditions:
1. For If, click Add Condition and from the Issues table, use the filter to set the criteria for the rule, and then click Save.
  For example, filter the field Severity, and then select the value Critical. The Issues table returns all issues where the severity=critical.
2. For Then, click Add Automation.
  1. If you clicked Add Agent, choose an agent from the Select Agent window. You can search for an agent or click on any of the agents shown. Hovering over an agent card shows a summary and the option to click Show agent to view the full list of actions available to the agent.
3. Choose the playbook or Quick Action to which you have access from the Select Automation window. You can search for an automation or click on any of the Quick Actions and playbooks shown.
  - Quick Actions: After selecting a Quick Action, you can set action parameters. For the Create Jira Ticket Quick Action, for example, you can enter the Description, Issue Type, Project Key, and Summary.
    Note
    Quick Actions, by default, run using all available integration instances that contain the command. When selecting a Quick Action for an automation rule, you can instead choose one specific integration instance to use.
    For more information on Quick Actions, see Quick Actions.
  - Playbooks: Click to view the description and playbook preview.
    If you want to use a playbook that is not part of your Org Playbooks, show Playbook Catalog for a full list of available playbooks. For more information on playbooks, see Manage playbooks.
    The list of available playbooks is filtered based on your access; you will only see playbooks that you own, that have been shared with you, or that are marked as Public. For more information, see Access to playbooks.
4. Click OK.
Click Create.

You can add automation rules recommended by Cortex XDR.

Select Investigation & Response → Automation → Automation Rules.
Click View Recommendations.
In the Automation Rule Recommendations table, view and select the required recommended automation rules to add to the Automation Rules table.
For playbooks, you can click the playbook name to preview. For Quick Actions, you can view the description and available parameters.
Click Add Selected rules.
Verify the order of the automation rule and change the order (if required),
Save the changes to the Automation Rules table.

After you create an automation rule, the rule is added to the Automation Rules table. In the Automation Rules table, you can do the following:

Set the priority of the automation rules, so when an issue is created, the first rule takes priority, then the second, third, etc. Only the first matching rule is executed.
New rules created manually are added to the bottom of the table.
View details of the automation rules that have been created.
By default, you can see the condition, automation, and the creation dates and source. You can add columns and filters as required. To edit, disable, or delete an automation rule, right-click on the rule.

Automation rules support SBAC (scope-based access control). The following parameters are considered when editing a rule:

If Scope-Based Access Control (SBAC) is enabled and Endpoint Scoping Mode is set to restrictive mode, you can edit an automation rule if you are scoped to all tags in the rule.
If Scope-Based Access Control (SBAC) is enabled and Endpoint Scoping Mode is set to permissive mode, you can edit an automation rule if you are scoped to at least one tag listed in the rule.
As a scoped user who has editing permissions to a rule, you can change the order among other rules that are locked.
If a rule was added when set to restrictive mode, and then changed to permissive (or vice versa), you will only have view permissions.