Automation Rules - Administrator Guide - Cortex XDR - Cortex XSIAM - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Cortex XDR provides an easy way to automate the day to day activities of SOC analysts within XDR. Automation Rules enable you to define alert conditions that trigger the action that you specify within the rule. As alerts are created, Cortex XDR checks if the alert matches any of the alert conditions from the automated rules, and if there is a match, the corresponding action is then triggered. The automation rules only apply to new alerts.

The automation rules run in the order they're created. You can drag the rules to change the order. If you select the setting Stop processing after this rule within a rule, the rule is still processed, but the rules following are not processed if alert conditions are met.

Automation Rules support SBAC (scoped based access control). The following parameters are considered when editing a rule.

  • If Scoped Sever Access is enabled and set to restrictive mode, you can edit a rule if you are scoped to all tags in the rule.

  • If Scoped Sever Access is enabled and set to permissive mode, you can edit a rule if you are scoped to at least one tag listed in the rule.

  • To change the order of a rule, you must have permissions to the other rule/s of which you want to change the order.

  • If a rule was added when set to restrictive mode, and then changed to permissive (or vice versa), you will only have view permissions.

The Automation Rules page displays a table of all the rules created.

The following table describes the fields.




The action that is triggered when the alert matches the condition configured within the automation rule,

The options are:

  • Communication

    • Send email

    • Send Slack message

    • Syslog forwarding

  • Alert and Incident Management

    • Assign incident

    • Set alert severity

    • Set alert status

  • Endpoint Response

    • Isolate endpoint

    • Retrieve File

    • Run endpoint script

    • Run malware scan

Action Parameters

Required information for the action. For example, for the action Send email, you must enter the email of the person receiving the notification.


The rule condition defined for the automation rule. For example Severity=Critical, where the rule triggers the action on all alerts where Severity=Critical.

Triggering Alerts

The number of alerts triggered by the automation rule.

Stop Processing

Indicates that the Stop processing after this rule is selected.


If the automation rule is enabled or disabled.

Excluded Endpoints

Displays the endpoint/s ID excluded from the automation rule.

Created by

Displays the name of the user that created the automation rule.

Modification Time

Time when the automation rule was last modified.