Automation rule actions - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide
Abstract

Includes the list of actions to take when the alert condition of the automation rule is triggered for Cortex XDR.

When creating the automation rule, the action is triggered when an alert matches the condition of the automation rule.

You can configure the following types of actions:

Action

Settings

Communication

Choose one of the options to receive notifications to keep up with alerts.

  • Send email

  • Send Slack message

  • Syslog forwarding—The list of servers displayed are the servers integrated with the Cortex XDR tenant.

Alert and Incident Management

Assign Incident

Assign the incident that is linked to the alert.

  • Assign Condition

    • (Default) Assign only to unassigned incidents

    • Always assign

  • Assign To—Select the person from the list to assign the incident.

Set alert status

Alert Status—Select alert status to override the present status of the alert.

  • New

  • Under Investigation

  • Resolved

Set alert severity

Alert Severity—Select alert severity to override the present severity of the alert.

  • Critical

  • High

  • Medium

  • Low

Forensics

Forensics Triage

Triage Configuration

Select the triage configuration from the list.

Endpoint Response

Run endpoint script

Run the Action On.

  • Alert initiator host—The host specified under Host of the alert from the Alerts table.

  • Alert remote host—The host specified under Remote Host of the alert in the Alerts table.

Script.

  • Script Library

    • Script—Select the script from the list to run on the endpoint. The scripts listed are from the Script Library.

    • Script Timeout (Seconds)—Enter seconds for timeout.

  • Code Snippet

    • Script—Add commands to create a script to run on the endpoint.

    • Script Timeout (Seconds)—Enter seconds for timeout

Isolate endpoint/Run malware scan

Run the action on.

  • Alert initiator host—The host specified under Host of the alert from the Alerts table.

  • Alert remote host—The host specified under Remote Host of the alert in the Alerts table.

Retrieve File

Retrieve File from.

  • Alert initiator file—The file specified under Initiator Path of the alert from the Alerts table.

  • Alert causality group owner path—The path specified under CGO path of the alert from the Alerts table.

Terminate Causality (CGO)

Select this option to terminate the causality chain of processes associated with the alert/s of the automation rule.

Stop processing after this rule

The current rule is the last to be processed only if triggered.