Before you create or manage automation rules, go to Settings → Configuration → Automation Settings and configure the settings for Endpoint Action Limit Thresholds and Automation Rules Notifications.
Add or edit an automation rule to trigger an action when the alert matches the condition of the rule created.
Navigate to Incident Response → Response → Automation and select Automation Rules.
Click the Add Automation Rule button or hover over the rule and select the pencil icon to edit the rule.
Rule Name and Conditions:
Enter a Rule Name and set the Rule Status.
From the Alerts table, use the filter to retrieve the criteria to define the condition of the automation rule.
From the Action list, select the relevant action to initiate when the alert condition is triggered.
This option is only accessible to Action type Endpoint Response.
In the Exclude Endpoints page, select the endpoint/s and click Next or click Skip.
In the Summary page, verify the settings and click Done.
Manage the automation rule, as needed.
Save as new—Opens the Clone Automation Rule wizard which enables you to save as a new rule.
Disable—The rule will not be processed.
Copy entire row—Copy the entire row to your clipboard.