Skip to main content

Cortex XDR Incident Handling

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#


Use Cortex XDR incident handling v3 instead.

Deprecated. Use Cortex XDR incident handling v3 instead. This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident. The playbook syncs and updates new XDR alerts that construct the incident. It enriches indicators using Threat Intelligence integrations and Palo Alto Networks AutoFocus. The incident's severity is then updated based on the indicators reputation and an analyst is assigned for manual investigation. If chosen, automated remediation with Palo Alto Networks FireWall is initiated. After a manual review by the SOC analyst, the XDR incident is closed automatically.

*** Note - The XDRSyncScript used by this playbook sets data in the XDR incident fields that were released to content from the Demisto server version 5.0.0. For Demisto versions under 5.0.0, please follow the 'Palo Alto Networks Cortex XDR' documentation to upload the new fields manually.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Palo Alto Networks - Malware Remediation
  • Calculate Severity - Standard


  • CortexXDRIR


  • XDRSyncScript
  • StopScheduledTask


  • closeInvestigation
  • autofocus-sample-analysis
  • xdr-update-incident

Playbook Inputs#

There are no inputs for this playbook.

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Cortex XDR Incident Handling