Automation Rules - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Automation Rules enable you to create rules comprised of alert conditions that trigger an action.

Cortex XDR provides an easy way to automate the day to day activities of SOC analysts within XDR. Automation Rules enable you to define alert conditions that trigger the action that you specify within the rule. As alerts are created, Cortex XDR checks if the alert matches any of the alert conditions from the automated rules, and if there is a match, the corresponding action is then triggered. The automation rules only apply to new alerts which will either create a new incident or be combined with an existing one.


Automation rules only apply to alerts that are grouped into incidents by the system. Most alerts with low and informational severity do not allow an automation rule to be automatically executed on them.

The automation rules run in the order they're created. You can drag the rules to change the order. If you select the setting Stop processing after this rule within a rule, the rule is still processed, but the rules following are not processed if alert conditions are met.

Automation Rules support SBAC (scoped based access control). The following parameters are considered when editing a rule.Set up Your Environment

  • If Scoped Server Access is enabled and set to restrictive mode, you can edit a rule if you are scoped to all tags in the rule.

  • If Scoped Server Access is enabled and set to permissive mode, you can edit a rule if you are scoped to at least one tag listed in the rule.

  • To change the order of a rule, you must have permissions to the other rule/s of which you want to change the order.

  • If a rule was added when set to restrictive mode, and then changed to permissive (or vice versa), you will only have view permissions.

The Automation Rules page displays a table of all the rules created.

The following table describes the fields.




The action that is triggered when the alert matches the condition configured within the automation rule,

The options are:

  • Communication

    • Send email

    • Send Slack message

    • Syslog forwarding

  • Alert and Incident Management

    • Assign incident

    • Set alert severity

    • Set alert status

  • Forensics

    • Forensic Triage


      This option requires a license which includes the Forensics Add-on.

  • Endpoint Response

    • Isolate endpoint

    • Retrieve File

    • Run endpoint script

    • Run malware scan

    • Terminate Causality (CGO)

Action Parameters

Required information for the action. For example, for the action Send email, you must enter the email of the person receiving the notification.


The rule condition defined for the automation rule. For example Severity=Critical, where the rule triggers the action on all alerts where Severity=Critical.

Triggering Alerts

The number of alerts triggered by the automation rule.

Stop Processing

Indicates that the Stop processing after this rule is selected.


If the automation rule is enabled or disabled.

Excluded Endpoints

Displays the endpoint/s ID excluded from the automation rule.

Created by

Displays the name of the user that created the automation rule.

Modification Time

Time when the automation rule was last modified.