TIM - Indicators Exclusion By Related Incidents

This playbooks allows you to exclude indicators according to the number of incidents the indicator is related to. The indicator query is "investigationsCount:>=X" where X is the number of related incidents to the indicator that you set. Excluded indicators are located in the Cortex XSOAR exclusion list and are removed from all of their related incidents and future ones. The purpose of excluding these indicators is to reduce the amount internal and common indicators appearing in many incidents and showing only relevant indicators. Creating exclusions can also accelerate performance.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


This playbook does not use any scripts.


  • createNewIncident
  • excludeIndicators
  • appendIndicatorField

Playbook Inputs

NameDescriptionDefault ValueRequired
Indicator QueryThe indicator query is "investigationsCount:>=X" where X is the number of related incidents to the indicator that you set.Optional
ActionToPerformThis input specifies which action the playbook performs on the provided indicators. Possible input values can be
TagIndicators | | Optional |

| TagValueForIndicators | This input specifies the tag value to apply to the indicators. An example value can be whitelist_review. This input should be used only if The ActionToPerform input value is TagIndicators. | | Optional | | OpenIncidentToReviewIndicatorsManually | This input determines if processed indicators that have the whitelist review tag are reviewed in a new incident. To create an incident, enter any value other than 'No'. | No | Optional | | AutoExcludeReason | Provide the reason that will appear in the XSOAR exclusion | | Optional |

Playbook Outputs

There are no outputs for this playbook.

Playbook Image

Playbook Image