Skip to main content

TIM - Indicators Exclusion By Related Incidents

This Playbook is part of the TIM - Indicator Auto-Processing Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbooks allows you to exclude indicators according to the number of incidents the indicator is related to. The indicator query is "investigationsCount:>=X" where X is the number of related incidents to the indicator that you set. Excluded indicators are located in the Cortex XSOAR exclusion list and are removed from all of their related incidents and future ones. The purpose of excluding these indicators is to reduce the amount internal and common indicators appearing in many incidents and showing only relevant indicators. Creating exclusions can also accelerate performance. The excludeIndicators command provides all the options that are on the exclusion list addition - except for using regex.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


This playbook does not use any scripts.


  • createNewIncident
  • excludeIndicators
  • appendIndicatorField

Playbook Inputs#

NameDescriptionDefault ValueRequired
Indicator QueryThe indicator query is "investigationsCount:>=X" where X is the number of related incidents to the indicator that you set.Optional
ActionToPerformThis input specifies which action the playbook performs on the provided indicators. Possible input values can be: AutoExclude, TagIndicatorsOptional
TagValueForIndicatorsThis input specifies the tag value to apply to the indicators. An example value can be whitelist_review. This input should be used only if The ActionToPerform input value is TagIndicators.Optional
OpenIncidentToReviewIndicatorsManuallyThis input determines if processed indicators that have the whitelist review tag are reviewed in a new incident. To create an incident, enter any value other than 'No'.NoOptional
AutoExcludeReasonProvide the reason that will appear in the XSOAR exclusionOptional
indicatorsValuesA comma-separated list of indicator values. Supports values of more than one indicator type. For example the value of an IP address, a domain, and a file hash.Optional
indicatorsTypesA comma-separated list of indicator types. Supports multiple types. For example IP, Host and Email.Optional
reasonThe reason the indicators were excluded.Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Playbook Image