https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-automation/m-p/1249057#M9172 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/262549">@RajeshPremSingh</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P data-end="343" data-start="83">In Cortex XDR, the priority of an automation rule is determined by its position in the rules list. Because the system follows a <STRONG data-end="233" data-start="211">“First Match Wins”</STRONG> logic, the rules are evaluated sequentially from top to bottom, and only the first matching rule is executed.</P> <P data-end="343" data-start="83">&nbsp;</P> <P data-end="475" data-start="345">If you only have one automation rule, it is effectively <STRONG data-end="415" data-start="401">Priority 1</STRONG> because it is the first and only rule the engine evaluates.</P> <P data-end="475" data-start="345">&nbsp;</P> <H4 data-end="527" data-start="482">How to Manage Rule Priority and Activation:</H4> <P data-end="604" data-start="529">To ensure your rule is properly prioritized and active, follow these steps:</P> <H5 data-end="628" data-start="606">1. Set the Order</H5> <P data-end="775" data-start="629">In the <STRONG data-end="656" data-start="636">Automation Rules</STRONG> table<BR data-end="665" data-start="662" />(<STRONG data-end="711" data-start="666">Incident Response &gt; Response &gt; Automation</STRONG>), the numbers in the left column represent the execution order.</P> <P data-end="870" data-start="777">If you have multiple rules, you can click and drag a rule to change its position in the list.</P> <H5 data-end="901" data-start="877">&nbsp;</H5> <H5 data-end="901" data-start="877">2. Enable the Rule</H5> <P data-end="1029" data-start="902">Newly created rules are often in a disabled (grayed out) state by default. You must manually enable the rule for it to trigger.</P> <P data-end="1029" data-start="902">&nbsp;</P> <H5 data-end="1057" data-start="1036">3. Save Changes:</H5> <P data-end="1198" data-start="1058">Any changes to the rule’s status or its order in the list require you to click <STRONG data-end="1145" data-start="1137">Save</STRONG> in the top-right corner of the configuration screen.</P> <H5 data-end="1244" data-start="1205">&nbsp;</H5> <H5 data-end="1244" data-start="1205">4. Verify Triggering Requirements:</H5> <UL data-end="1648" data-start="1246"> <LI data-end="1387" data-start="1246"> <P data-end="1387" data-start="1248"><STRONG data-end="1268" data-start="1248">New Alerts Only:</STRONG><BR data-end="1271" data-start="1268" />Automation rules are not retroactive. They apply only to new alerts generated after the rule is saved and enabled.</P> </LI> <LI data-end="1648" data-start="1389"> <P data-end="1648" data-start="1391"><STRONG data-end="1416" data-start="1391">Incident Association:</STRONG><BR data-end="1419" data-start="1416" />Automation rules generally trigger only after an alert is attached to an incident. If an alert is not grouped into an incident (which is common for “Low” or “Informational” severity alerts), the automation rule may not execute.</P> </LI> </UL> <P>&nbsp;</P> <H4 data-end="1693" data-start="1655">Important Note on Platform Versions:</H4> <P data-end="1865" data-start="1695">If you are using Cortex XDR version 4.x or have migrated to the unified XSIAM platform, legacy <STRONG data-end="1817" data-start="1790">Simple Automation Rules</STRONG> are deprecated and kept in a read-only state.</P> <P data-is-only-node="" data-is-last-node="" data-end="1986" data-start="1867">In these versions, new automations and their associated priorities are managed through the <STRONG data-end="1977" data-start="1958">Playbook engine</STRONG> instead.</P> <P data-is-only-node="" data-is-last-node="" data-end="1986" data-start="1867">&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Thu, 26 Feb 2026 13:37:01 GMT susekar 2026-02-26T13:37:01Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-automation/m-p/1242010#M8869 <P>is there any way to make the automation rule priority&nbsp;one? i don't have any other&nbsp; rule&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RajeshPremSingh_0-1763392560357.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/69864iF3B2546A6C56D628/image-size/medium?v=v2&amp;px=400" role="button" title="RajeshPremSingh_0-1763392560357.png" alt="RajeshPremSingh_0-1763392560357.png" /></span></P> <P>&nbsp;</P> Mon, 17 Nov 2025 15:17:16 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-automation/m-p/1242010#M8869 RajeshPremSingh 2025-11-17T15:17:16Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-automation/m-p/1249057#M9172 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/262549">@RajeshPremSingh</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P data-end="343" data-start="83">In Cortex XDR, the priority of an automation rule is determined by its position in the rules list. Because the system follows a <STRONG data-end="233" data-start="211">“First Match Wins”</STRONG> logic, the rules are evaluated sequentially from top to bottom, and only the first matching rule is executed.</P> <P data-end="343" data-start="83">&nbsp;</P> <P data-end="475" data-start="345">If you only have one automation rule, it is effectively <STRONG data-end="415" data-start="401">Priority 1</STRONG> because it is the first and only rule the engine evaluates.</P> <P data-end="475" data-start="345">&nbsp;</P> <H4 data-end="527" data-start="482">How to Manage Rule Priority and Activation:</H4> <P data-end="604" data-start="529">To ensure your rule is properly prioritized and active, follow these steps:</P> <H5 data-end="628" data-start="606">1. Set the Order</H5> <P data-end="775" data-start="629">In the <STRONG data-end="656" data-start="636">Automation Rules</STRONG> table<BR data-end="665" data-start="662" />(<STRONG data-end="711" data-start="666">Incident Response &gt; Response &gt; Automation</STRONG>), the numbers in the left column represent the execution order.</P> <P data-end="870" data-start="777">If you have multiple rules, you can click and drag a rule to change its position in the list.</P> <H5 data-end="901" data-start="877">&nbsp;</H5> <H5 data-end="901" data-start="877">2. Enable the Rule</H5> <P data-end="1029" data-start="902">Newly created rules are often in a disabled (grayed out) state by default. You must manually enable the rule for it to trigger.</P> <P data-end="1029" data-start="902">&nbsp;</P> <H5 data-end="1057" data-start="1036">3. Save Changes:</H5> <P data-end="1198" data-start="1058">Any changes to the rule’s status or its order in the list require you to click <STRONG data-end="1145" data-start="1137">Save</STRONG> in the top-right corner of the configuration screen.</P> <H5 data-end="1244" data-start="1205">&nbsp;</H5> <H5 data-end="1244" data-start="1205">4. Verify Triggering Requirements:</H5> <UL data-end="1648" data-start="1246"> <LI data-end="1387" data-start="1246"> <P data-end="1387" data-start="1248"><STRONG data-end="1268" data-start="1248">New Alerts Only:</STRONG><BR data-end="1271" data-start="1268" />Automation rules are not retroactive. They apply only to new alerts generated after the rule is saved and enabled.</P> </LI> <LI data-end="1648" data-start="1389"> <P data-end="1648" data-start="1391"><STRONG data-end="1416" data-start="1391">Incident Association:</STRONG><BR data-end="1419" data-start="1416" />Automation rules generally trigger only after an alert is attached to an incident. If an alert is not grouped into an incident (which is common for “Low” or “Informational” severity alerts), the automation rule may not execute.</P> </LI> </UL> <P>&nbsp;</P> <H4 data-end="1693" data-start="1655">Important Note on Platform Versions:</H4> <P data-end="1865" data-start="1695">If you are using Cortex XDR version 4.x or have migrated to the unified XSIAM platform, legacy <STRONG data-end="1817" data-start="1790">Simple Automation Rules</STRONG> are deprecated and kept in a read-only state.</P> <P data-is-only-node="" data-is-last-node="" data-end="1986" data-start="1867">In these versions, new automations and their associated priorities are managed through the <STRONG data-end="1977" data-start="1958">Playbook engine</STRONG> instead.</P> <P data-is-only-node="" data-is-last-node="" data-end="1986" data-start="1867">&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Thu, 26 Feb 2026 13:37:01 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-automation/m-p/1249057#M9172 susekar 2026-02-26T13:37:01Z