Skip to main content

Handle False Positive Alerts

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook handles false positive alerts. It creates an alert exclusion or alert exception, or adds a file to an allow list based on the alert fields and playbook inputs.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

This playbook does not use any integrations.

Scripts#

This playbook does not use any scripts.

Commands#

  • closeInvestigation
  • core-add-exclusion
  • core-allowlist-files

Playbook Inputs#


NameDescriptionDefault ValueRequired
ShouldCloseAutomaticallyShould we automatically close false positive alerts? Specify true/false.Optional
sourceIPThe host IP from the alert.alert.hostipOptional
usernameThe username from the alert.alert.usernameOptional
alertNameThe alert name.alert.nameOptional
FileSHA256The file SHA256 from the alert.alert.initiatorsha256Optional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Handle False Positive Alerts