Manage Automation Rules - Administrator Guide - Cortex XDR - Cortex XSIAM - Cortex

Manage Automation Rules - Administrator Guide - Cortex XDR - Cortex XSIAM - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product

Cortex XDR

License

Pro

Creation date

2023-05-22

Last date published

2023-05-22

Category

Administrator Guide

Add or edit an automation rule to trigger an action when the alert matches the condition of the rule created.

Navigate to Incident Response → Response → Automation and select Automation Rules.
Click the Add Automation Rule button or hover over the rule and select the pencil icon to edit the rule.
Rule Name and Conditions:
1. Enter a Rule Name and set the Rule Status.
2. From the Alerts table, use the filter to retrieve the criteria to define the condition of the automation rule.
3. Click Next.
Select Action:
1. From the Action list, select the relevant action to initiate when the alert condition is triggered.
Exclude Endpoints:
Note
This option is only accessible to Action type Endpoint Response.
1. In the Exclude Endpoints page, select the endpoint/s and click Next or click Skip.
In the Summary page, verify the settings and click Done.
Manage the automation rule, as needed.
- Edit
- Save as new—Opens the Clone Automation Rule wizard which enables you to save as a new rule.
- Disable—The rule will not be processed.
- Delete
- Copy entire row—Copy the entire row to your clipboard.