Manage automation rules - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-09
Category
Administrator Guide
Abstract

Procedure of how to manage the automation rules of Cortex XDR as needed, which includes to edit, save as new, disable, delete or copy.

Notice

This functionality requires a Cortex XDR Pro license.

Danger

Before you create or manage automation rules, go to SettingsConfigurationAutomation Settings and configure the settings for Endpoint Action Limit Thresholds and Automation Rules Notifications.

You can add or edit an automation rule to trigger an action when the alert matches the condition of the rule created.

  1. Navigate to Incident ResponseResponseAutomation and select Automation Rules.

  2. Click Add Automation Rule, or to edit and existing rule hover over the rule and select the edit icon.

  3. Define rule name and conditions:

    1. Enter a rule name and set the rule status.

    2. From the Alerts table, use the filter to retrieve the criteria to define the condition of the automation rule.

    3. Click Next.

  4. From list, select the relevant action to initiate when the alert condition is triggered.

  5. In the Exclude Endpoints page, select the endpoints to exclude and click Next.

    Note

    This option is only accessible to Action type Endpoint Response.

  6. In the Summary page, verify the settings and click Done.

  7. Manage the automation rule, as needed. Right-click a rule to see the available actions.