Skip to main content

CrowdStrike Falcon - False Positive Incident Handling

This Playbook is part of the CrowdStrike Falcon Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to This playbook handles a CrowdStrike incident that was determined to be a false positive by the analyst. Actions include unisolating the host, allowing the indicator by the EDR, and tagging it.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Crowdstrike Falcon - Unisolate Endpoint


  • CrowdStrikeFalcon


This playbook does not use any scripts.


  • cs-falcon-resolve-incident
  • setIndicators
  • cs-falcon-resolve-detection
  • cs-falcon-upload-custom-ioc

Playbook Inputs#

NameDescriptionDefault ValueRequired
AutoUnisolationWhether automatic un-isolation is allowed.falseOptional
HostIdThe host ID to unisolate.Optional
AllowIOCTagNameThe tag name to apply to the allowed indicator.Optional
ApplyAllowIOCGloballyWhether the indicator is globally added to the allow list.
If 'false', specify the group name for the AllowHostGroup input.
AllowHostGroupNameThe name of the allow list group to apply if ApplyAllowIOCGlobally is set to 'false'.Optional
CloseNotesThe close notes to be listed in CrowdStrike.Optional
Sha256The SHA256 value to manage.Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

CrowdStrike Falcon - False Positive Incident Handling