CrowdStrike Falcon - False Positive Incident Handling
This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a CrowdStrike case or detection that was determined to be a false positive by the analyst. Actions include unisolating the host, allowing the indicator by the EDR, and tagging it.
CrowdStrike Falcon · 21 tasks · 7 inputs · 0 outputs
Inputs
AutoUnisolation— Whether automatic un-isolation is allowed.HostId— The host ID to unisolate.AllowIOCTagName— The tag name to apply to the allowed indicator.ApplyAllowIOCGlobally— Whether the indicator is globally added to the allow list. If 'false', specify the group name for the AllowHostGroup input.AllowHostGroupName— The name of the allow list group to apply if ApplyAllowIOCGlobally is set to 'false'.CloseNotes— The close notes to be listed in CrowdStrike.Sha256— The SHA256 value to manage.
Commands used
cs-falcon-add-case-tag
cs-falcon-resolve-case
cs-falcon-resolve-detection
cs-falcon-upload-custom-ioc
setIndicators