This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

susekar
L5 Sessionator

‎02-11-2026 06:19 AM

Hello @PA_nts ,

 

Greetings for the day.

 

In Cortex XSIAM, the handling of low-severity alerts is governed by a design philosophy focused on reducing alert fatigue and prioritizing actionable threats.

 

Monitoring and Analysis:

By default, Cortex XSIAM does not automatically create incidents for alerts with Low or Informational severity. These alerts are typically categorized as Insights, which provide contextual metadata to help analysts understand the broader attack chain within an existing incident.

Exceptions

There are specific scenarios where Low severity alerts do generate incidents automatically because they are considered high-fidelity or critical for early detection:

  • Identity and ITDR: Analytics and BIOC alerts related to Identity modules

  • Cloud Detection: Alerts generated from Cloud Detection modules

  • Analytics (Magnifier): Certain detections such as Large Upload, Port Scan, or Failed Connections

 

Playbook Automation:

Standard Automation Rules and Playbook Triggers are tied to the incident lifecycle. Since most Low severity alerts do not create incidents, they do not automatically trigger playbooks.

Workarounds for Automating Low Severity Alerts

  1. Scheduled Jobs
    Create a scheduled playbook (Job) that runs an XQL query to identify specific Low severity alerts and perform programmatic actions.
    For example, a script can use:

    setAlertStatus

    to automatically resolve or update qualifying alerts.

  2. Severity Elevation
    Modify the source detection (BIOC, Correlation Rule, or Analytics Rule) to raise the severity to Medium.
    This forces incident creation and allows standard automation rules to trigger.

  3. Manual Execution
    Analysts can manually execute playbooks directly from the Alerts table for Low severity entries.

 

Best Practices:

To effectively manage Low severity alert volume:

Treat as Contextual Insights:

Rather than reviewing Low alerts individually, examine them within the Alerts & Insights tab of a related Medium or High severity incident to gain a complete attack narrative.

 

Tune at the Source:

If specific Low severity alerts are consistently noisy and provide little value:

  • Use Alert Exclusions, or

  • Tune the originating detection rule (for example, firewall rules or analytics logic)
    to prevent unnecessary alerts from reaching the console.

 

SOC Tiering Approach:

Use a Tier 1 or Triage Specialist role to periodically review the raw Alerts table (via XQL queries) for emerging patterns that may not yet meet the Medium severity threshold.

 

Future Enhancement:

A feature enhancement request is currently tracked to allow playbooks to trigger directly from Low and Informational alerts in future releases.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

0 Likes Likes
(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks