Cortex XDR provides an easy way to automate the day to day activities of SOC analysts within XDR. Automation Rules enable you to define alert conditions that trigger the action that you specify within the rule. As alerts are created, Cortex XDR checks if the alert matches any of the alert conditions from the automated rules, and if there is a match, the corresponding action is then triggered. The automation rules only apply to new alerts.
The automation rules run in the order they're created. You can drag the rules to change the order. If you select the setting Stop processing after this rule within a rule, the rule is still processed, but the rules following are not processed if alert conditions are met.
Automation Rules support SBAC (scoped based access control). The following parameters are considered when editing a rule.
If Scoped Sever Access is enabled and set to restrictive mode, you can edit a rule if you are scoped to all tags in the rule.
If Scoped Sever Access is enabled and set to permissive mode, you can edit a rule if you are scoped to at least one tag listed in the rule.
To change the order of a rule, you must have permissions to the other rule/s of which you want to change the order.
If a rule was added when set to restrictive mode, and then changed to permissive (or vice versa), you will only have view permissions.
The Automation Rules page displays a table of all the rules created.
The following table describes the fields.
The action that is triggered when the alert matches the condition configured within the automation rule,
The options are:
Required information for the action. For example, for the action Send email, you must enter the email of the person receiving the notification.
The rule condition defined for the automation rule. For example Severity=Critical, where the rule triggers the action on all alerts where Severity=Critical.
The number of alerts triggered by the automation rule.
Indicates that the Stop processing after this rule is selected.
If the automation rule is enabled or disabled.
Displays the endpoint/s ID excluded from the automation rule.
Displays the name of the user that created the automation rule.
Time when the automation rule was last modified.