XDR Automation Rules not triggering Playbook execution

.522643 — Tue, 21 Apr 2026 04:41:56 GMT

I am experiencing an issue with XDR Automation Rules when attempting to execute a script.

I have configured an automation rule to trigger a Playbooks when a specific event occurs. The Playbook is designed to run the built-in Quick Action: “Run Endpoint Script”, which executes a script registered in Action Center > Scripts Library.

However, the automation rule does not execute the Playbook when the event is triggered.

In contrast, when I go to the Issues menu, right-click a detected event, and select “Run Automation”, the same Playbooks executes successfully without any issues.

Could you please advise why the Automation Rules are not triggering the Playbook execution?

I am using the XDR Pro version, and I understand this functionality should be supported.

Additionally, are there any restrictions on the types of events that Automation Rules can be applied to?

Re: XDR Automation Rules not triggering Playbook execution

susekar — Tue, 21 Apr 2026 17:23:49 GMT

Hello @.522643 ,

Greetings for the day.

(Why Cortex XDR Automation Rules May Not Trigger)

There are several design behaviors and platform restrictions that explain why an automation rule may fail to trigger, even though manual execution of the same playbook works successfully.

Core Reasons for Trigger Failure:

1. Alert Severity Restriction

Automation rules generally trigger only for alerts with a severity of Medium, High, or Critical.

Alerts with Low or Informational severity typically do not support automatic execution. However, manual execution via the Issues menu bypasses this limitation.

2. Action Limit Thresholds (Failsafes):

To prevent unintended large-scale impact, Cortex XDR enforces limits on sensitive actions such as:

Run Endpoint Script
Isolate Endpoint

Threshold Behavior:

If a single rule triggers more than 5 actions across 5 distinct hosts within a 24-hour period, the system will automatically pause the rule and stop further executions.

What to Check:

Review the Automation Audit Log for entries showing a Paused status to confirm whether this threshold has been exceeded.

3. Rule Processing Order:

Legacy XDR

Rules are processed in the order they appear.
If a higher-priority rule matches and has “Stop processing after this rule” enabled, subsequent rules will not be evaluated.

Unified Platform

Rules are evaluated from top to bottom.
Processing stops as soon as the first matching rule is found.

4. Incident Grouping Requirement

Automation rules apply only to alerts that are successfully grouped into incidents.

If an alert is not assigned to an incident, the rule will not trigger.

5. Missing Endpoint Data

If the triggering alert (often from a custom Correlation Rule) does not include required fields such as agent_id or endpoint context:

Actions like Run Endpoint Script will fail because the system cannot determine the target endpoint.

(Restrictions on Event Types)

New Alerts Only

Automation rules apply only to newly generated alerts.
They do not run retroactively on past alerts, even if those alerts match the rule conditions.

Incident Association Required

The alert must be associated with an incident for the automation rule to execute.

Minimum Severity Requirement

Most automated actions require alerts to have a severity higher than Low/Informational.

Scoped Access (SBAC)

If Scoped Server Access Control (SBAC) is enabled:
- Automation rules will only trigger for endpoints that fall within the user’s defined scope tags.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

topic XDR Automation Rules not triggering Playbook execution in Cortex XDR Discussions