XSUP-31342 - XDR mirroring changes incident resolution

Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py

@@ -2856,18 +2856,23 @@ def handle_user_unassignment(update_args):
 
 
 def handle_outgoing_issue_closure(remote_args):
+    incident_id = remote_args.remote_incident_id
+    demisto.debug(f"handle_outgoing_issue_closure {incident_id=}")
     update_args = remote_args.delta
     current_remote_status = remote_args.data.get('status') if remote_args.data else None
+    close_reason = update_args.get('close_reason') or update_args.get('closeReason')
+    demisto.debug(f'{current_remote_status=} {remote_args.data=} {remote_args.inc_status=} {close_reason=}')
     # force closing remote incident only if:
     #   The XSOAR incident is closed
     #   and the remote incident isn't already closed
     if remote_args.inc_status == 2 and \
-       current_remote_status not in XDR_RESOLVED_STATUS_TO_XSOAR:
+       current_remote_status not in XDR_RESOLVED_STATUS_TO_XSOAR and close_reason:
 
         if close_notes := update_args.get('closeNotes'):
+            demisto.debug(f"handle_outgoing_issue_closure {incident_id=} {close_notes=}")
             update_args['resolve_comment'] = close_notes
-        update_args['status'] = XSOAR_RESOLVED_STATUS_TO_XDR.get(update_args.get('closeReason', 'Other'))
-        demisto.debug(f"Closing Remote incident with status {update_args['status']}")
+        update_args['status'] = XSOAR_RESOLVED_STATUS_TO_XDR.get(close_reason, 'Other')
+        demisto.debug(f"handle_outgoing_issue_closure Closing Remote incident {incident_id=} with status {update_args['status']}")
 
 
 def get_update_args(remote_args):

Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule_test.py

@@ -9,7 +9,7 @@
 
 import demistomock as demisto
 from CommonServerPython import Common, tableToMarkdown, pascalToSpace, DemistoException
-from CoreIRApiModule import CoreClient
+from CoreIRApiModule import CoreClient, handle_outgoing_issue_closure
 from CoreIRApiModule import add_tag_to_endpoints_command, remove_tag_from_endpoints_command, quarantine_files_command, \
     isolate_endpoint_command, list_user_groups_command, parse_user_groups, list_users_command, list_roles_command, \
     change_user_role_command, list_risky_users_or_host_command, enrich_error_message_id_group_role, get_incidents_command
@@ -3789,3 +3789,37 @@ def test_get_starred_incident_list(self, requests_mock):
         _, outputs, _ = get_incidents_command(client, args)
 
         assert outputs['CoreApiModule.Incident(val.incident_id==obj.incident_id)'][0]['starred'] is True
+
+
+INPUT_test_handle_outgoing_issue_closure = load_test_data('./test_data/handle_outgoing_issue_closure_input.json')
+
+
+@pytest.mark.parametrize("args, expected_delta",
+                         [
+                             # close an incident from xsoar ui, and the incident type isn't cortex xdr incident
+                             (INPUT_test_handle_outgoing_issue_closure["xsoar_ui_common_mapping"]["args"],
+                              INPUT_test_handle_outgoing_issue_closure["xsoar_ui_common_mapping"]["expected_delta"]),
+                             # close an incident from xsoar ui, and the incident type is cortex xdr incident
+                             (INPUT_test_handle_outgoing_issue_closure["xsoar_ui_cortex_xdr_incident"]["args"],
+                              INPUT_test_handle_outgoing_issue_closure["xsoar_ui_cortex_xdr_incident"]["expected_delta"]),
+                             # close an incident from XDR
+                             (INPUT_test_handle_outgoing_issue_closure["xdr"]["args"],
+                              INPUT_test_handle_outgoing_issue_closure["xdr"]["expected_delta"])
+                         ])
+def test_handle_outgoing_issue_closure(args, expected_delta):
+    """
+    Given: An UpdateRemoteSystemArgs object.
+    - case A: data & delta that match a case of closing an incident from xsoar ui, and the incident type isn't cortex xdr incident
+    - case B: data & delta that match a case of closing an incident from xsoar ui, and the incident type is cortex xdr incident
+    - case C: data & delta that match a case of closing an incident from XDR.
+    When: Closing an incident.
+    Then: Ensure the update_args has the expected value.
+    - case A: a status is added with the correct value.
+    - case B: a status is added with the correct value.
+    - case C: a status isn't added. (If the closing status came from XDR, there is no need to update it again)
+    """
+    from CommonServerPython import UpdateRemoteSystemArgs
+
+    remote_args = UpdateRemoteSystemArgs(args)
+    handle_outgoing_issue_closure(remote_args)
+    assert remote_args.delta == expected_delta

Packs/ApiModules/Scripts/CoreIRApiModule/test_data/handle_outgoing_issue_closure_input.json

@@ -0,0 +1,69 @@
+{
+    "xsoar_ui_common_mapping": {
+        "args": {
+            "remoteId": "47",
+            "delta": {
+                "close_reason": "False Positive",
+                "resolve_comment": "closing 47 false positive"
+            },
+            "data": {
+                "assigned_user_mail": "assigned_user_mail",
+                 "assigned_user_pretty_name": "User",
+                 "close_reason": "False Positive",
+                 "manual_severity": "high",
+                 "resolve_comment": "closing 47 false positive",
+                 "status": "new"
+            },
+            "status": 2
+        },
+        "expected_delta": {
+            "close_reason": "False Positive",
+            "resolve_comment": "closing 47 false positive",
+            "status": "resolved_false_positive"
+        }
+    },
+    "xsoar_ui_cortex_xdr_incident": {
+        "args": {
+            "remoteId": "47",
+            "delta": {
+                "closeReason": "False Positive",
+                "closeNotes": "closing 47 false positive"
+            },
+            "data": {
+                "assigned_user_mail": "assigned_user_mail",
+                 "assigned_user_pretty_name": "User",
+                 "manual_severity": "high",
+                 "status": "new"
+            },
+            "status": 2
+        },
+        "expected_delta": {
+            "closeReason": "False Positive",
+            "closeNotes": "closing 47 false positive",
+            "resolve_comment": "closing 47 false positive",
+            "status": "resolved_false_positive"
+        }
+    },
+    "xdr": {
+        "args": {
+            "remoteId": "47",
+            "delta": {
+                "close_reason": "False Positive",
+                "resolve_comment": "resolving from xdr"
+            },
+            "data": {
+                "assigned_user_mail": "assigned_user_mail",
+                "assigned_user_pretty_name": "User",
+                "close_reason": "False Positive",
+                "manual_severity": "high",
+                "resolve_comment": "resolving from xdr",
+                "status": "resolved_false_positive"
+            },
+            "status": 2
+        },
+        "expected_delta": {
+            "close_reason": "False Positive",
+            "resolve_comment": "resolving from xdr"
+        }
+    }
+}

Packs/Core/ReleaseNotes/3_0_19.md

@@ -0,0 +1,5 @@
+
+#### Integrations
+
+##### Investigation & Response
+- Updated the outgoing mirroring process to also check the **close reason** of the incident, if needed.

Packs/Core/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Core - Investigation and Response",
     "description": "Automates incident response",
     "support": "xsoar",
-    "currentVersion": "3.0.18",
+    "currentVersion": "3.0.19",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/CortexXDR/Classifiers/classifier-mapper-outgoing-PaloAltoNetworks_CortexXDR.json

@@ -127,12 +127,29 @@
 				}
 			}
 		},
+        "Malware Investigation and Response": {
+			"dontMapEventToLabels": false,
+			"internalMapping": {
+				"close_reason": {
+					"simple": "closeReason"
+				},
+				"resolve_comment": {
+					"simple": "closeNotes"
+				},
+				"status": {
+					"simple": "externalstatus.[0]"
+				}
+			}
+		},
 		"dbot_classification_incident_type_all": {
 			"dontMapEventToLabels": false,
 			"internalMapping": {
 				"assigned_user_mail": {
 					"simple": "xdrassigneduseremail"
 				},
+				"close_reason": {
+					"simple": "closeReason"
+				},
 				"manual_severity": {
 					"complex": {
 						"filters": [],
@@ -207,6 +224,9 @@
 				},
 				"resolve_comment": {
 					"simple": "closeNotes"
+				},
+				"status": {
+					"simple": "xdrstatusv2"
 				}
 			}
 		}

Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py

@@ -15,7 +15,7 @@
 API_KEY_LENGTH = 128
 
 INTEGRATION_CONTEXT_BRAND = 'PaloAltoNetworksXDR'
-XDR_INCIDENT_TYPE_NAME = 'Cortex XDR Incident'
+XDR_INCIDENT_TYPE_NAME = 'Cortex XDR Incident Schema'
 INTEGRATION_NAME = 'Cortex XDR - IR'
 
 XDR_INCIDENT_FIELDS = {
@@ -33,6 +33,8 @@
     "manual_severity": {"description": "Incident severity assigned by the user. "
                                        "This does not affect the calculated severity low medium high",
                         "xsoar_field_name": "severity"},
+    "close_reason": {"description": "The close reason of the XSOAR incident",
+                     "xsoar_field_name": "closeReason"}
 }
 
 MIRROR_DIRECTION = {
@@ -420,6 +422,7 @@ def get_incident_extra_data_command(client, args):
 
     incident = raw_incident.get('incident')
     incident_id = incident.get('incident_id')
+    demisto.debug(f"in get_incident_extra_data_command {incident_id=} {incident=}")
     raw_alerts = raw_incident.get('alerts').get('data')
     context_alerts = clear_trailing_whitespace(raw_alerts)
     for alert in context_alerts:
@@ -624,9 +627,12 @@ def handle_incoming_user_unassignment(incident_data):
 
 
 def handle_incoming_closing_incident(incident_data):
+    incident_id = incident_data.get('incident_id')
+    demisto.debug(f'handle_incoming_closing_incident {incident_data=} {incident_id=}')
     closing_entry = {}  # type: Dict
     if incident_data.get('status') in XDR_RESOLVED_STATUS_TO_XSOAR:
-        demisto.debug(f"Closing XDR issue {incident_data.get('incident_id')}")
+        demisto.debug(f"handle_incoming_closing_incident {incident_data.get('status')=} {incident_id=}")
+        demisto.debug(f"Closing XDR issue {incident_id=}")
         closing_entry = {
             'Type': EntryType.NOTE,
             'Contents': {
@@ -638,11 +644,14 @@ def handle_incoming_closing_incident(incident_data):
         }
         incident_data['closeReason'] = closing_entry['Contents']['closeReason']
         incident_data['closeNotes'] = closing_entry['Contents']['closeNotes']
+        demisto.debug(f"handle_incoming_closing_incident {incident_id=} {incident_data['closeReason']=} "
+                      f"{incident_data['closeNotes']=}")
 
         if incident_data.get('status') == 'resolved_known_issue':
             close_notes = f'Known Issue.\n{incident_data.get("closeNotes", "")}'
             closing_entry['Contents']['closeNotes'] = close_notes
             incident_data['closeNotes'] = close_notes
+            demisto.debug(f"handle_incoming_closing_incident {incident_id=} {close_notes=}")
 
     return closing_entry
 
@@ -765,12 +774,16 @@ def get_remote_data_command(client, args):
 
 def update_remote_system_command(client, args):
     remote_args = UpdateRemoteSystemArgs(args)
+    incident_id = remote_args.remote_incident_id
+    demisto.debug(f"update_remote_system_command {incident_id=} {remote_args=}")
 
     if remote_args.delta:
         demisto.debug(f'Got the following delta keys {str(list(remote_args.delta.keys()))} to update'
                       f'incident {remote_args.remote_incident_id}')
+        demisto.debug(f'{remote_args.delta=}')
     try:
         if remote_args.incident_changed:
+            demisto.debug(f"update_remote_system_command {incident_id=} {remote_args.incident_changed=}")
             update_args = get_update_args(remote_args)
 
             update_args['incident_id'] = remote_args.remote_incident_id

Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml

@@ -3471,7 +3471,7 @@ script:
       isArray: true
     name: xdr-remove-user-role
     description: Remove one or more users from a role.
-  dockerimage: demisto/python3:3.10.13.86272
+  dockerimage: demisto/python3:3.10.13.87159
   isfetch: true
   isfetch:xpanse: false
   script: ''

Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR_test.py

@@ -435,7 +435,7 @@ def test_get_mapping_fields_command():
         - the result fits the expected mapping.
     """
     from CortexXDRIR import get_mapping_fields_command
-    expected_mapping = {"Cortex XDR Incident": {
+    expected_mapping = {"Cortex XDR Incident Schema": {
         "status": "Current status of the incident: \"new\",\"under_"
                   "investigation\",\"resolved_known_issue\","
                   "\"resolved_duplicate\",\"resolved_false_positive\","
@@ -444,7 +444,8 @@ def test_get_mapping_fields_command():
         "assigned_user_pretty_name": "Full name of the user assigned to the incident.",
         "resolve_comment": "Comments entered by the user when the incident was resolved.",
         "manual_severity": "Incident severity assigned by the user. This does not "
-                           "affect the calculated severity low medium high"
+                           "affect the calculated severity low medium high",
+        "close_reason": "The close reason of the XSOAR incident"
     }}
     res = get_mapping_fields_command()
     assert expected_mapping == res.extract_mapping()

Packs/CortexXDR/ReleaseNotes/6_1_16.md

@@ -0,0 +1,14 @@
+
+#### Integrations
+
+##### Palo Alto Networks Cortex XDR - Investigation and Response
+- Updated the outgoing mirroring process to also check the **close reason** of the incident, if needed.
+- Updated the name of the schema to Cortex XDR Incident Schema.
+- Updated the Docker image to: *demisto/python3:3.10.13.87159*.
+
+#### Mappers
+
+##### Cortex XDR - Outgoing Mapper
+- Added the field close_reason to the mapper.
+- Added the field status to the Common Mapping.
+- Added the incident type **Malware Investigation and Response** to the outgoing mapper.

Packs/CortexXDR/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Cortex XDR by Palo Alto Networks",
     "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.",
     "support": "xsoar",
-    "currentVersion": "6.1.15",
+    "currentVersion": "6.1.16",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/ctf01/ReleaseNotes/1_0_7.md

@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Cortex XDR - IR CTF
+
+- Updated the outgoing mirroring process to also check the **close reason** of the incident, if needed.

Packs/ctf01/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Capture The Flag - 01",
     "description": "XSOAR's Capture the flag (CTF)",
     "support": "xsoar",
-    "currentVersion": "1.0.6",
+    "currentVersion": "1.0.7",
     "serverMinVersion": "8.2.0",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",