Automation Settings - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-02-26
Last date published
2024-05-22
Category
Administrator Guide
Abstract

Threshold limits may be implemented for settings of automation rules.

Before you begin creating automation rules, consider setting thresholds for the following endpoint actions:

Note

Only administrator can configure these settings.

Endpoint Action Limit Thresholds

Description

Isolate endpoint on up to _ endpoints in _ hour/s

When an alert condition is triggered, and the action specified is to isolate the endpoint, the limit threshold defined enables the set number of endpoints to be isolated for the period of time defined. This is to prevent an overflow of endpoints isolated from the network at the same time.

If the setting is turned off, there is no threshold for the isolation of endpoints.

Run endpoint script on up to _ endpoints in _ hour/s

When an alert condition is triggered, and the action specified is to run the endpoint script, the limit threshold defined enables the set number of endpoints to run the script for the period of time defined. This is to prevent an overflow of endpoints running scripts at the same time.

If the setting is turned off, there is no threshold for the running scripts on the endpoints.

Terminate Causality (CGO) on up to _ endpoints in _ hour/s

When an alert condition is triggered, and the action specified is to terminate causality, the limit threshold defined enables the set number of endpoints to terminate the causality chain of processes for the period of time defined. This is to prevent an overflow of endpoints terminating causality chain of processes at the same time.

If the setting is turned off, there is no threshold for terminating causality on the endpoints.

Forensic Triage on up to _ endpoints in _ hour/s

When an alert condition is triggered, and the action specified is set to Forensic Triage, the limit threshold defined enables the set number of endpoints to triage for the period of time defined. This is to prevent an overflow of endpoints to triage at the same time.

If the setting is turned off, there is no threshold for the running scripts on the endpoints.

Note

This option is only accessible to users that have the forensics add-on license.

Automation Rule Notifications

Description

Distribution List

Enter the email of the people to notify

Slack

Enter the slack contact to notify.