Autonomous playbooks - The Autonomous Playbooks feature includes autonomous playbooks and autonomous automation rules that respond to Cortex Analytics issues. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation
Product
Cortex XSIAM
Creation date
2025-07-15
Last date published
2026-06-11
Category
Administrator Guide
Abstract

The Autonomous Playbooks feature includes autonomous playbooks and autonomous automation rules that respond to Cortex Analytics issues.

The Autonomous Playbooks feature provides fully managed security automation that operates with minimal user intervention. By leveraging Palo Alto Networks' deep security knowledge, autonomous playbooks deliver highly accurate conclusions and precise logic through a new, streamlined interface that displays only the essential tasks you need to see.

Note

This feature is enabled by default for all new tenants created on or after May 31st, 2026. If you would like to add this feature to an existing tenant, contact Customer Support.

The system automatically updates and maintains all autonomous playbooks and related automation rules, eliminating the need for your team to manually configure or manage complex playbook logic. As new autonomous playbooks and autonomous automation rules are released, the new content is automatically added to your environment.

The scope of autonomous playbooks and autonomous automation rules is Cortex Analytics issues and is currently limited to the following domains:

  • Single Sign On (SSO)

  • Azure

  • ITDR

  • Active Directory

  • Active Directory Certificate Services (ADCS)

  • SaaS

  • Microsoft Exchange

  • Google Workspace

  • Windows EDR

  • NDR

  • MacOS EDR

  • Linux EDR

Note

Autonomous playbooks are limited to 100 autonomous playbooks runs per hour. If this limit is exceeded, you may experience delays in execution.