Automation rules enable you to create rules comprised of alert conditions that trigger an action.
Notice
This functionality requires a Cortex XDR Pro license.
Cortex XDR provides an easy way to automate the day to day activities of SOC analysts. Automation rules enable you to define alert conditions that trigger the action that you specify within the rule. As alerts are created, Cortex XDR checks if the alert matches any of the alert conditions from the automated rules, and if there is a match, the corresponding action is triggered. The automation rules only apply to new alerts which will either create a new incident or be combined with an existing one.
Important
Automation rules only apply to alerts that are grouped into incidents by the system. Most alerts with low and informational severity do not allow an automation rule to be automatically executed on them.
The automation rules run in the order they're created. You can drag the rules to change the order. If you select the setting Stop processing after this rule within a rule, the rule is still processed, but the rules following are not processed if alert conditions are met.
Automation rules support SBAC (scoped based access control). The following parameters are considered when editing a rule.
If Scoped Server Access is enabled and set to restrictive mode, you can edit a rule if you are scoped to all tags in the rule.
If Scoped Server Access is enabled and set to permissive mode, you can edit a rule if you are scoped to at least one tag listed in the rule.
To change the order of a rule, you must have permissions to the other rule/s of which you want to change the order.
If a rule was added when set to restrictive mode, and then changed to permissive (or vice versa), you will only have view permissions.
The Automation Rules page displays a table of all the rules created. The following table describes the fields.