Skip to main content

CrowdStrike Falcon - True Positive Incident Handling

This Playbook is part of the CrowdStrike Falcon Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to This playbook handles a CrowdStrike incident that was determined to be a true positive by the analyst. Actions include isolating the host, blocking the indicator by the EDR, and tagging it.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Threat Hunting - Generic
  • Crowdstrike Falcon - Isolate Endpoint




  • AddEvidence
  • IsIntegrationAvailable
  • ServiceNowCreateIncident


  • setIndicators
  • setIncident
  • cs-falcon-resolve-incident
  • cs-falcon-rtr-remove-file
  • cs-falcon-resolve-detection
  • jira-create-issue
  • cs-falcon-upload-custom-ioc

Playbook Inputs#

NameDescriptionDefault ValueRequired
TicketingSystemToUseThe name of the ticketing system to use, for example Jira or ServiceNow.Optional
BlockIOCTagNameThe tag to assign for indicators to block.Optional
HostIDThe ID of the host to use.Optional
AutoIsolationWhether automatic host isolation is allowed.falseOptional
TicketProjectNameThe ticket project name (required for Jira).Optional
BlockMaliciousIOCGloballyWhether adding to the block list is global.
If False, provide an input for the BlockHostGroup input with the group name.
BlockHostGroupNameThe name of the allow list group to apply if BlockMaliciousIOCGlobally is set to False.Optional
TicketDescriptionThe description to be used by the ticketing system.Optional
CloseNotesProvide the close notes to be listed in CrowdStrike.Optional
Sha256The SHA256 value to manage.Optional
PathsForFilesToRemoveProvide the path for the file to remove.Optional
OperatingSystemToRemoveFromValues can be Windows, Linux, Mac.Optional
ManuallyChooseIOCForHuntingThis input will provide you with the ability to select IOCs to be hunted using the Threat Hunting - generic playbook.
If false, it will hunt for all IOCs detected in the incident.
Note: You can also insert "No Threat Hunting" to skip the Threat Hunting stage.
IPIP value to hunt on.IPOptional
MD5MD5 file value to hunt upon.File.MD5Optional
URL_or_DomainURL or Domain to hunt upon.Domain.NameOptional
FileSha1File SHA1 value to hunt upon.File.SHA1Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

CrowdStrike Falcon - True Positive Incident Handling