MDE - False Positive Incident Handling
This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles closing false positive incidents for Microsoft Defender for Endpoint.
Microsoft Defender for Endpoint · 19 tasks · 9 inputs · 0 outputs
Inputs
DupAlertIDsToBeClosed— Duplicate Cortex XSOAR investigation IDs to close.Comment— Add a comment to close an incident on the Microsoft Defender for Endpoint side.Reason— Provide a reason for closing the incident. Choose one of the following: "NotAvailable"/"Apt,Malware"/"SecurityPersonnel"/"SecurityTesting"/"UnwantedSoftware"/"Other"Classification— Choose From - "Unknown" / "TruePositive" / "FalsePositive"AllowTag— Specify the tag name for allowed indicators that are found.AutoUnisolation— Whether automatic un-isolation is allowed.CloseDuplicate— Whether the duplicate incidents should be closed as well in the Microsoft Defender for Endpoint instance. The playbook looks for the world "Close" in this input.HostID— The ID of the host for running an un-isolation process.FileSha256— Enter the File SHA256 you would like to block.
Commands used
closeInvestigation
microsoft-atp-sc-indicator-create
microsoft-atp-update-alert
setIndicators