Skip to main content

CrowdStrike Falcon - False Positive Incident Handling

This Playbook is part of the CrowdStrike Falcon Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to This playbook handles a CrowdStrike incident that was determined to be false positive by the analyst.
Actions include unisolating the host, allowing the indicator by the EDR, and tagging it.


This playbook uses the following sub-playbooks, integrations, and scripts.


Crowdstrike Falcon - Unisolate Endpoint




This playbook does not use any scripts.


  • setIndicators
  • cs-falcon-upload-custom-ioc
  • cs-falcon-resolve-incident
  • cs-falcon-resolve-detection

Playbook Inputs#

NameDescriptionDefault ValueRequired
AutoUnisolationWhether automatic un-isolation is allowed.falseOptional
HostIdThe host ID to unisolate.Optional
AllowIOCTagNameThe name of the tag to apply to allowed indicators.Optional
ApplyAllowIOCGloballyWhether adding to the allow list is global.
If False, set the AllowHostGroup input to the group name.
AllowHostGroupNameThe name of the allow list group to apply in case ApplyAllowIOCGlobally is set to False.Optional
CloseNotesProvide the close notes to be listed in CrowdStrike Falcon.Optional
Sha256The SHA256 value to manage.Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

CrowdStrike Falcon - False Positive Incident Handling