Skip to main content

MDE - False Positive Incident Handling

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook handles false positive incident closure for Microsoft Defender for Endpoint.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

Microsoft Defender For Endpoint - Unisolate Endpoint

Integrations#

MicrosoftDefenderAdvancedThreatProtection

Scripts#

SearchIncidentsV2

Commands#

  • closeInvestigation
  • setIndicators
  • microsoft-atp-sc-indicator-create
  • microsoft-atp-update-alert

Playbook Inputs#


NameDescriptionDefault ValueRequired
DupAlertIDsToBeClosedDuplicate Cortex XSOAR investigation IDs to close.Optional
CommentAdd a comment to close an incident on the Microsoft Defender for Endpoint side.XSOAR Incident #${incident.id}Optional
ReasonProvide a reason for closing the incident. Choose one of the following:
"NotAvailable"/"Apt,Malware"/"SecurityPersonnel"/"SecurityTesting"/"UnwantedSoftware"/"Other"
Optional
ClassificationChoose From - "Unknown" / "TruePositive" / "FalsePositive"Optional
AllowTagSpecify the tag name for allowed indicators that are found.AllowTagOptional
AutoUnisolationWhether automatic un-isolation is allowed.FalseOptional
CloseDuplicateWhether the duplicate incidents should be closed as well in the Microsoft Defender for Endpoint instance.
The playbook looks for the world "Close" in this input..
Optional
HostIDThe ID of the host for running an un-isolation process.${incident.deviceid}Optional
FileSha256Enter the File SHA256 you would like to block.${incident.filesha256}Optional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


MDE - False Positive Incident Handling