CrowdStrike Falcon Pack.#This Playbook is part of the
Supported Cortex XSOAR versions: 6.5.0 and later.
This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response.
This playbook handles a CrowdStrike incident that was determined to be false positive by the analyst.
Actions include unisolating the host, allowing the indicator by the EDR, and tagging it.
This playbook uses the following sub-playbooks, integrations, and scripts.
Crowdstrike Falcon - Unisolate Endpoint
This playbook does not use any scripts.
|AutoUnisolation||Whether automatic un-isolation is allowed.||false||Optional|
|HostId||The host ID to unisolate.||Optional|
|AllowIOCTagName||The name of the tag to apply to allowed indicators.||Optional|
|ApplyAllowIOCGlobally||Whether adding to the allow list is global.|
If False, set the AllowHostGroup input to the group name.
|AllowHostGroupName||The name of the allow list group to apply in case ApplyAllowIOCGlobally is set to False.||Optional|
|CloseNotes||Provide the close notes to be listed in CrowdStrike Falcon.||Optional|
|Sha256||The SHA256 value to manage.||Optional|
There are no outputs for this playbook.