03-17-2026 03:05 AM
Hi, I want to run one basic playbook automation on every new issue trigged. For example, I have specific conditions where, if a new issue meets those conditions, its severity should be updated. Currently, only one automation rule can be applied to each issue. While using a Job is an option, I am interested to know if there are any other solutions to address this scenario.
03-17-2026 02:54 PM
Hello @A.Velusamy ,
Greetings for the day.
In Cortex XSIAM, automation rules follow a top-to-bottom priority logic where the system stops evaluating rules as soon as the first match is found. This means only one automation rule can trigger per issue.
Beyond using scheduled jobs, there are several architectural solutions to handle applying multiple conditions or updating severity for every new issue:
The most efficient way to bypass the “one rule” limitation is to use sub-playbooks.
Strategy: Create a single “master” automation rule with broad criteria (for example, a catch-all rule at the bottom of your priority list).
Implementation: Link this rule to a master playbook. Inside the playbook, include your base automation tasks and then use conditional logic to trigger different sub-playbooks based on issue attributes. This allows multiple logic paths to execute within the single automation rule.
If your main goal is to update severity, it’s more effective to configure it in the detection rule itself rather than adjusting it afterward.
Strategy: Modify the severity in the correlation rule, BIOC, or analytics rule that generates the issue.
Benefit: The issue is created with the correct severity from the start, which is important because automation rules typically trigger only for Medium severity or higher.
If you need automation for low-severity issues that normally wouldn’t trigger rules:
Implementation: Set the originating rule (BIOC or correlation rule) to Medium so a case is created and automation can run.
Execution: As the first step in your playbook, immediately update the severity back to the intended level using:
To ensure baseline automation runs on all unmatched issues:
Place highly specific automation rules at the top of the list.
Add a generic rule at the bottom with broad conditions (for example, Issue Domain = Security) to act as a fallback.
Automation rules generally do not trigger for Low or Informational severity issues because those do not automatically generate a case required to run automation. To ensure automation runs on every issue, you must either raise the severity at the source or rely on scheduled jobs.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
