Includes the list of actions to take when the alert condition of the automation rule is triggered for Cortex XDR.
When creating the automation rule, the action is triggered when an alert matches the condition of the automation rule.
You can configure the following types of actions:
Action | Settings |
---|---|
Communication | Choose one of the options to receive notifications to keep up with alerts.
|
Alert and Incident Management | |
Assign Incident | Assign the incident that is linked to the alert.
|
Set alert status | Alert Status—Select alert status to override the present status of the alert.
|
Set alert severity | Alert Severity—Select alert severity to override the present severity of the alert.
|
Forensics | |
Forensics Triage | Triage Configuration Select the triage configuration from the list. |
Endpoint Response | |
Run endpoint script | Run the Action On.
Script.
|
Isolate endpoint/Run malware scan | Run the action on.
|
Retrieve File | Retrieve File from.
|
Terminate Causality (CGO) | Select this option to terminate the causality chain of processes associated with the alert/s of the automation rule. |
Stop processing after this rule | The current rule is the last to be processed only if triggered. |