Handle False Positive Alerts
Common Playbooks Pack.#
This Playbook is part of theSupported versions
Supported Cortex XSOAR versions: 6.6.0 and later.
This playbook handles false positive alerts. It creates an alert exclusion or alert exception, or adds a file to an allow list based on the alert fields and playbook inputs.
#
DependenciesThis playbook uses the following sub-playbooks, integrations, and scripts.
#
Sub-playbooksThis playbook does not use any sub-playbooks.
#
IntegrationsThis playbook does not use any integrations.
#
ScriptsThis playbook does not use any scripts.
#
Commands- closeInvestigation
- core-add-exclusion
- core-allowlist-files
#
Playbook InputsName | Description | Default Value | Required |
---|---|---|---|
ShouldCloseAutomatically | Should we automatically close false positive alerts? Specify true/false. | Optional | |
sourceIP | The host IP from the alert. | alert.hostip | Optional |
username | The username from the alert. | alert.username | Optional |
alertName | The alert name. | alert.name | Optional |
FileSHA256 | The file SHA256 from the alert. | alert.initiatorsha256 | Optional |
#
Playbook OutputsThere are no outputs for this playbook.