This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

XDR Automation Rules not triggering Playbook execution

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XDR Automation Rules not triggering Playbook execution

.522643
L0 Member

‎04-20-2026 09:41 PM

I am experiencing an issue with XDR Automation Rules when attempting to execute a script.

I have configured an automation rule to trigger a Playbooks when a specific event occurs. The Playbook is designed to run the built-in Quick Action: “Run Endpoint Script”, which executes a script registered in Action Center > Scripts Library.

However, the automation rule does not execute the Playbook when the event is triggered.

In contrast, when I go to the Issues menu, right-click a detected event, and select “Run Automation”, the same Playbooks executes successfully without any issues.

Could you please advise why the Automation Rules are not triggering the Playbook execution?

I am using the XDR Pro version, and I understand this functionality should be supported.

Additionally, are there any restrictions on the types of events that Automation Rules can be applied to?

0 Likes Likes
1 REPLY 1

susekar
L5 Sessionator

‎04-21-2026 10:23 AM

Hello @.522643 ,

 

Greetings for the day.

(Why Cortex XDR Automation Rules May Not Trigger)

There are several design behaviors and platform restrictions that explain why an automation rule may fail to trigger, even though manual execution of the same playbook works successfully.

 

Core Reasons for Trigger Failure:

1. Alert Severity Restriction

Automation rules generally trigger only for alerts with a severity of Medium, High, or Critical.

Alerts with Low or Informational severity typically do not support automatic execution. However, manual execution via the Issues menu bypasses this limitation.

 

2. Action Limit Thresholds (Failsafes):

To prevent unintended large-scale impact, Cortex XDR enforces limits on sensitive actions such as:

  • Run Endpoint Script
  • Isolate Endpoint

Threshold Behavior:

  • If a single rule triggers more than 5 actions across 5 distinct hosts within a 24-hour period, the system will automatically pause the rule and stop further executions.

What to Check:

  • Review the Automation Audit Log for entries showing a Paused status to confirm whether this threshold has been exceeded.

3. Rule Processing Order:

Legacy XDR

  • Rules are processed in the order they appear.
  • If a higher-priority rule matches and has “Stop processing after this rule” enabled, subsequent rules will not be evaluated.

Unified Platform

  • Rules are evaluated from top to bottom.
  • Processing stops as soon as the first matching rule is found.

4. Incident Grouping Requirement

Automation rules apply only to alerts that are successfully grouped into incidents.

  • If an alert is not assigned to an incident, the rule will not trigger.

5. Missing Endpoint Data

If the triggering alert (often from a custom Correlation Rule) does not include required fields such as agent_id or endpoint context:

  • Actions like Run Endpoint Script will fail because the system cannot determine the target endpoint.

 

(Restrictions on Event Types)

New Alerts Only
  • Automation rules apply only to newly generated alerts.
  • They do not run retroactively on past alerts, even if those alerts match the rule conditions.
Incident Association Required
  • The alert must be associated with an incident for the automation rule to execute.
Minimum Severity Requirement
  • Most automated actions require alerts to have a severity higher than Low/Informational.
Scoped Access (SBAC)
  • If Scoped Server Access Control (SBAC) is enabled:
    • Automation rules will only trigger for endpoints that fall within the user’s defined scope tags.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

  • 274 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks