Skip to main content

CrowdStrike Falcon - True Positive Incident Handling

This Playbook is part of the CrowdStrike Falcon Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook handles a CrowdStrike incident that was determined to be a true positive by the analyst.
Actions include isolating the host, blocking the indicator by the EDR, and tagging it.


This playbook uses the following sub-playbooks, integrations, and scripts.


Crowdstrike Falcon - Isolate Endpoint




  • ServiceNowCreateIncident
  • IsIntegrationAvailable


  • cs-falcon-resolve-detection
  • cs-falcon-upload-custom-ioc
  • cs-falcon-rtr-remove-file
  • cs-falcon-resolve-incident
  • jira-create-issue
  • setIndicators

Playbook Inputs#

NameDescriptionDefault ValueRequired
TicketingSystemToUseThe name of the ticketing system to use, for example Jira or ServiceNow.Optional
BlockIOCTagNameThe tag to assign for indicators to block.Optional
HostIDThe ID of the host to use.Optional
AutoIsolationWhether automatic host isolation is allowed.falseOptional
TicketProjectNameThe ticket project name (required for Jira).Optional
BlockMaliciousIOCGloballyWhether adding to block list is global.
If False, set the BlockHostGroup input to the group name.
BlockHostGroupNameThe name of the allow list group to apply in case BlockMaliciousIOCGlobally is set to False.Optional
TicketDescriptionThe description to be used by the ticketing system.Optional
CloseNotesProvide the close notes to be listed in CrowdStrike.Optional
Sha256The SHA256 value to manage.Optional
PathsForFilesToRemoveProvide the file path to remove from.Optional
OperatingSystemToRemoveFromPossible values:
* Mac

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

CrowdStrike Falcon - True Positive Incident Handling