Skip to main content

Handle False Positive Alerts

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook handles false positive alerts. It creates an alert exclusion or alert exception, or adds a file to an allow list based on the alert fields and playbook inputs.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


This playbook does not use any scripts.


  • closeInvestigation
  • core-add-exclusion
  • core-allowlist-files

Playbook Inputs#

NameDescriptionDefault ValueRequired
ShouldCloseAutomaticallyShould we automatically close false positive alerts? Specify true/false.Optional
sourceIPThe host IP from the alert.alert.hostipOptional
usernameThe username from the alert.alert.usernameOptional
alertNameThe alert name.alert.nameOptional
FileSHA256The file SHA256 from the alert.alert.initiatorsha256Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Handle False Positive Alerts