Skip to main content

MDE - False Positive Incident Handling

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to This playbook handles closing false positive incidents for Microsoft Defender for Endpoint.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Microsoft Defender For Endpoint - Unisolate Endpoint


  • MicrosoftDefenderAdvancedThreatProtection


  • SearchIncidentsV2


  • microsoft-atp-sc-indicator-create
  • setIndicators
  • microsoft-atp-update-alert
  • closeInvestigation

Playbook Inputs#

NameDescriptionDefault ValueRequired
DupAlertIDsToBeClosedDuplicate Cortex XSOAR investigation IDs to close.Optional
CommentAdd a comment to close an incident on the Microsoft Defender for Endpoint side.XSOAR Incident #${}Optional
ReasonProvide a reason for closing the incident. Choose one of the following:
ClassificationChoose From - "Unknown" / "TruePositive" / "FalsePositive"Optional
AllowTagSpecify the tag name for allowed indicators that are found.AllowTagOptional
AutoUnisolationWhether automatic un-isolation is allowed.FalseOptional
CloseDuplicateWhether the duplicate incidents should be closed as well in the Microsoft Defender for Endpoint instance.
The playbook looks for the world "Close" in this input.
HostIDThe ID of the host for running an un-isolation process.${incident.deviceid}Optional
FileSha256Enter the File SHA256 you would like to block.${incident.filesha256}Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

MDE - Retrieve File