Automation Rules enable you to create rules comprised of alert conditions that trigger an action.
Cortex XDR provides an easy way to automate the day to day activities of SOC analysts within XDR. Automation Rules enable you to define alert conditions that trigger the action that you specify within the rule. As alerts are created, Cortex XDR checks if the alert matches any of the alert conditions from the automated rules, and if there is a match, the corresponding action is then triggered. The automation rules only apply to new alerts which will either create a new incident or be combined with an existing one.
Automation rules only apply to alerts that are grouped into incidents by the system. Most alerts with low and informational severity do not allow an automation rule to be automatically executed on them.
The automation rules run in the order they're created. You can drag the rules to change the order. If you select the setting Stop processing after this rule within a rule, the rule is still processed, but the rules following are not processed if alert conditions are met.
Automation Rules support SBAC (scoped based access control). The following parameters are considered when editing a rule.
If Scoped Server Access is enabled and set to restrictive mode, you can edit a rule if you are scoped to all tags in the rule.
If Scoped Server Access is enabled and set to permissive mode, you can edit a rule if you are scoped to at least one tag listed in the rule.
To change the order of a rule, you must have permissions to the other rule/s of which you want to change the order.
If a rule was added when set to restrictive mode, and then changed to permissive (or vice versa), you will only have view permissions.
The Automation Rules page displays a table of all the rules created.
The following table describes the fields.
The action that is triggered when the alert matches the condition configured within the automation rule,
The options are:
Required information for the action. For example, for the action Send email, you must enter the email of the person receiving the notification.
The rule condition defined for the automation rule. For example Severity=Critical, where the rule triggers the action on all alerts where Severity=Critical.
The number of alerts triggered by the automation rule.
Indicates that the Stop processing after this rule is selected.
If the automation rule is enabled or disabled.
Displays the endpoint/s ID excluded from the automation rule.
Displays the name of the user that created the automation rule.
Time when the automation rule was last modified.