XSIAM Playbook

A.Velusamy — Tue, 17 Mar 2026 10:05:25 GMT

Hi, I want to run one basic playbook automation on every new issue trigged. For example, I have specific conditions where, if a new issue meets those conditions, its severity should be updated. Currently, only one automation rule can be applied to each issue. While using a Job is an option, I am interested to know if there are any other solutions to address this scenario.

Re: XSIAM Playbook

susekar — Tue, 17 Mar 2026 21:54:20 GMT

Hello @A.Velusamy ,

Greetings for the day.

In Cortex XSIAM, automation rules follow a top-to-bottom priority logic where the system stops evaluating rules as soon as the first match is found. This means only one automation rule can trigger per issue.

Beyond using scheduled jobs, there are several architectural solutions to handle applying multiple conditions or updating severity for every new issue:

1. Nested Playbooks (Sub-playbooks)

The most efficient way to bypass the “one rule” limitation is to use sub-playbooks.

Strategy: Create a single “master” automation rule with broad criteria (for example, a catch-all rule at the bottom of your priority list).
Implementation: Link this rule to a master playbook. Inside the playbook, include your base automation tasks and then use conditional logic to trigger different sub-playbooks based on issue attributes. This allows multiple logic paths to execute within the single automation rule.

2. Severity Adjustment at the Source

If your main goal is to update severity, it’s more effective to configure it in the detection rule itself rather than adjusting it afterward.

Strategy: Modify the severity in the correlation rule, BIOC, or analytics rule that generates the issue.
Benefit: The issue is created with the correct severity from the start, which is important because automation rules typically trigger only for Medium severity or higher.

3. The “Severity Flip” Playbook Workaround

If you need automation for low-severity issues that normally wouldn’t trigger rules:

Implementation: Set the originating rule (BIOC or correlation rule) to Medium so a case is created and automation can run.
Execution: As the first step in your playbook, immediately update the severity back to the intended level using:

!setIssueStatus severity="<desired_severity>"

4. Catch-all Rule at Lowest Priority

To ensure baseline automation runs on all unmatched issues:

Place highly specific automation rules at the top of the list.
Add a generic rule at the bottom with broad conditions (for example, Issue Domain = Security) to act as a fallback.

Important Note on Severity

Automation rules generally do not trigger for Low or Informational severity issues because those do not automatically generate a case required to run automation. To ensure automation runs on every issue, you must either raise the severity at the source or rely on scheduled jobs.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar