Manage automation rules - Learn how to manage automation rules for Cortex XDR. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation
Product
Cortex XDR
License
Prevent
Pro
Creation date
2024-03-06
Last date published
2025-06-16
Category
Administrator Guide
Abstract

Learn how to manage automation rules for Cortex XDR.

Important

Before you create or manage automation rules, go to SettingsConfigurationAutomation Settings and configure the settings for Endpoint Action Limit Thresholds and Automation Rules Notifications.

Add or edit an automation rule to trigger an action when the alert matches the condition of the rule created.

  1. Navigate to Incident ResponseResponseAutomation and select Automation Rules.

  2. Click Add Automation Rule.

  3. For rule name and conditions, do the following:

    1. Enter a Rule Name and set the Rule Status.

    2. From the Alerts table, use the filter to retrieve the criteria to define the condition of the automation rule.

    3. Click Next.

  4. From the Action list, select the relevant action to initiate when the alert condition is triggered.ActionFrom the

  5. In the Exclude Endpoints page, select the endpoint and click Next.

    Note

    This option is only accessible to Action type Endpoint Response.

  6. In the Summary page, verify the settings and click Done.