fixing xdr_close_reason_resolution

Packs/ApiModules/ReleaseNotes/2_2_23.md

@@ -0,0 +1,4 @@
+
+#### Scripts
+##### CoreIRApiModule
+- Fixed an issue in XDR IR <-> XSOAR mirroring, where non-default XSOAR close-reasons were not resolved properly.

Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py

@@ -2862,7 +2862,7 @@ def resolve_xdr_close_reason(xsoar_close_reason: str) -> str:
     :return: XDR close-reason in snake_case format e.g. 'resolved_false_positive'.
     """
     # Initially setting the close reason according to the default mapping.
-    xdr_close_reason = XSOAR_RESOLVED_STATUS_TO_XDR.get(xsoar_close_reason, 'Other')
+    xdr_close_reason = XSOAR_RESOLVED_STATUS_TO_XDR.get(xsoar_close_reason, 'resolved_other')
     # Reading custom XSOAR->XDR close-reason mapping.
     custom_xsoar_to_xdr_close_reason_mapping = comma_separated_mapping_to_dict(
         demisto.params().get("custom_xsoar_to_xdr_close_reason_mapping")

Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.yml

@@ -12,7 +12,7 @@ comment: Common Core IR Client, provides generic Infrastructure.
 scripttarget: 0
 dependson: {}
 timeout: 0s
-dockerimage: demisto/python3:3.10.13.78960
+dockerimage: demisto/python3:3.10.14.91134
 fromversion: 5.0.0
 tests:
 - No tests (auto formatted)

Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule_test.py

@@ -3850,30 +3850,37 @@ def test_handle_outgoing_issue_closure(args, expected_delta):
                          [
                              ("Other=Other,Duplicate=Other,False Positive=False Positive,Resolved=True Positive",
                               ["resolved_other", "resolved_other", "resolved_false_positive", "resolved_true_positive",
-                               "resolved_security_testing"]),
+                               "resolved_security_testing", "resolved_other"]),
 
                              ("Other=True Positive,Duplicate=Other,False Positive=False Positive,Resolved=True Positive",
                               ["resolved_true_positive", "resolved_other", "resolved_false_positive",
-                               "resolved_true_positive", "resolved_security_testing"]),
+                               "resolved_true_positive", "resolved_security_testing", "resolved_other"]),
 
                              ("Duplicate=Other", ["resolved_other", "resolved_other", "resolved_false_positive",
-                                                  "resolved_true_positive", "resolved_security_testing"]),
+                                                  "resolved_true_positive", "resolved_security_testing", "resolved_other"]),
 
                              # Expecting default mapping to be used when no mapping provided.
-                             ("", list(XSOAR_RESOLVED_STATUS_TO_XDR.values())),
+                             ("", ["resolved_other", "resolved_duplicate_incident", "resolved_false_positive",
+                                   "resolved_true_positive", "resolved_security_testing", "resolved_other"]),
 
                              # Expecting default mapping to be used when improper mapping is provided.
-                             ("Duplicate=RANDOM1, Other=Random2", list(XSOAR_RESOLVED_STATUS_TO_XDR.values())),
+                             ("Duplicate=RANDOM1, Other=Random2",
+                              ["resolved_other", "resolved_duplicate_incident", "resolved_false_positive",
+                               "resolved_true_positive", "resolved_security_testing", "resolved_other"]),
 
-                             ("Random1=Duplicate Incident", list(XSOAR_RESOLVED_STATUS_TO_XDR.values())),
+                             ("Random1=Duplicate Incident",
+                              ["resolved_other", "resolved_duplicate_incident", "resolved_false_positive",
+                               "resolved_true_positive", "resolved_security_testing", "resolved_other"]),
 
                              # Expecting default mapping to be used when improper mapping *format* is provided.
-                             ("Duplicate=Other False Positive=Other", list(XSOAR_RESOLVED_STATUS_TO_XDR.values())),
+                             ("Duplicate=Other False Positive=Other",
+                              ["resolved_other", "resolved_duplicate_incident", "resolved_false_positive",
+                               "resolved_true_positive", "resolved_security_testing", "resolved_other"]),
 
                              # Expecting default mapping to be used for when improper key-value pair *format* is provided.
                              ("Duplicate=Other, False Positive=Other True Positive=Other, Other=True Positive",
                               ["resolved_true_positive", "resolved_other", "resolved_false_positive",
-                               "resolved_true_positive", "resolved_security_testing"]),
+                               "resolved_true_positive", "resolved_security_testing", "resolved_other"]),
 
                          ],
                          ids=["case-1", "case-2", "case-3", "empty-case", "improper-input-case-1", "improper-input-case-2",
@@ -3895,8 +3902,8 @@ def test_xsoar_to_xdr_flexible_close_reason_mapping(capfd, mocker, custom_mappin
     mocker.patch.object(demisto, 'params', return_value={"mirror_direction": "Both",
                                                          "custom_xsoar_to_xdr_close_reason_mapping": custom_mapping})
 
-    all_xsoar_close_reasons = XSOAR_RESOLVED_STATUS_TO_XDR.keys()
-    for i, close_reason in enumerate(all_xsoar_close_reasons):
+    possible_xsoar_close_reasons = list(XSOAR_RESOLVED_STATUS_TO_XDR.keys()) + ["CUSTOM_CLOSE_REASON"]
+    for i, close_reason in enumerate(possible_xsoar_close_reasons):
         remote_args = UpdateRemoteSystemArgs({'delta': {'closeReason': close_reason},
                                               'status': 2,
                                               'inc_status': 2,

Packs/ApiModules/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "ApiModules",
     "description": "API Modules",
     "support": "xsoar",
-    "currentVersion": "2.2.22",
+    "currentVersion": "2.2.23",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/Core/ReleaseNotes/3_0_24.md

@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Investigation & Response
+
+Fixed an issue in CoreIRApiModule regarding close reason resolution.

Packs/Core/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Core - Investigation and Response",
     "description": "Automates incident response",
     "support": "xsoar",
-    "currentVersion": "3.0.23",
+    "currentVersion": "3.0.24",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/CortexXDR/ReleaseNotes/6_1_28.md

@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Palo Alto Networks Cortex XDR - Investigation and Response
+
+Fixed an issue in CoreIRApiModule regarding close reason resolution.

Packs/CortexXDR/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Cortex XDR by Palo Alto Networks",
     "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.",
     "support": "xsoar",
-    "currentVersion": "6.1.27",
+    "currentVersion": "6.1.28",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/ctf01/ReleaseNotes/1_0_11.md

@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Cortex XDR - IR CTF
+
+Fixed an issue in CoreIRApiModule regarding close reason resolution.

Packs/ctf01/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Capture The Flag - 01",
     "description": "XSOAR's Capture the flag (CTF)",
     "support": "xsoar",
-    "currentVersion": "1.0.10",
+    "currentVersion": "1.0.11",
     "serverMinVersion": "8.2.0",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",