We currently have steps in the playbook to add a comment to the entity details (entity explorer screen), and to add them to a customlist of category "temporaryWhitelist". We then have steps early in our playbooks to check if an entity matches an entry on the temporaryWhitelist customlist, and close the case in Tier0 automatically if there's a match.

The blacklist, however, causes siemplify to not create entities for these entries at all, thus they are simply "absent" in cases - something we only do for stuff like "0.0.0.0" or hostname "unknown"

Hi, what about creating a CustomList named "Blacklist" and add the IP entries to this CustomList with the playbook action "Add to Custom List" ?

No problem, we want to reject some spam address IP When we get another alert with the same IP address we don't take care of them.

Hm... But in the future when we create this type of list (custom list) we can reject this IP's automatic? I think the Siemplify doesn't looking for us "custom list" to run action who not create Alert - like right now is on "BlackList"...

I think you are right but maybe you can also lookup into the CustomList if the IP already exists and if so close the Alert with no further analysis/actions from the Playbook ?

That's what I would do. Add these IPs to a customlist, and then use a flow to check if IP not in that customlist

Ok, I have an official answer from Siemplify that this function doesn't exist now in Siemplify. So you can add IPs on blacklist directly from Playbook. Thank you all for your advice. ;)