Skip to main content

Handle False Positive Alerts

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook handles false positive alerts. It creates an alert exclusion or alert exception, or adds a file to an allow list based on the alert fields and playbook inputs.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


This playbook does not use any scripts.


  • core-iocs-disable
  • core-allowlist-files
  • closeInvestigation
  • core-add-exclusion

Playbook Inputs#

NameDescriptionDefault ValueRequired
ShouldCloseAutomaticallyShould we automatically close false positive alerts? Specify true/false.Optional
sourceIPThe host IP from the alert.alert.hostipOptional
usernameThe username from the alert.alert.usernameOptional
alertNameThe alert name.alert.nameOptional
FileSHA256The file SHA256 from the alert.alert.initiatorsha256Optional
IOCThe IOC to disable from IOC alerts.Optional
ShouldHandleFPautomaticallyShould we automatically handle false positive alerts? Specify true/false.Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Handle False Positive Alerts