XDR IR fix in close_xdr_incident error 500 (demisto#37246)

* Added another fix when close_alerts_in_xdr is marked but close_xdr_incident not selected



---------

Co-authored-by: noy <nodavidi.paloaltonetworks.com>
Co-authored-by: ShirleyDenkberg <[email protected]>

Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py

@@ -1039,9 +1039,15 @@ def update_remote_system_command(client, args):
 
             close_xdr_incident = argToBoolean(client._params.get("close_xdr_incident", True))
 
+            status = ""
+            # If the client does not want to close the incident in XDR, temporarily remove the status from the arguments
+            # to update the incident, and add it back later to close the alerts.
             if not close_xdr_incident and (update_args.get('status') in XSOAR_RESOLVED_STATUS_TO_XDR.values()):
                 status = update_args.pop('status')
-                demisto.debug(f"Popped {status=} from update_args, incident status won't be updated in XDR.")
+                resolve_comment = update_args.pop('resolve_comment', None)
+
+                demisto.debug(f"Popped status {status} and {resolve_comment=} from update_args,"
+                              f" incident status won't be updated in XDR.")
 
             update_incident_command(client, update_args)
 
@@ -1051,6 +1057,9 @@ def update_remote_system_command(client, args):
             if is_closed and closed_without_status and remote_is_already_closed:
                 update_args['status'] = current_remote_status
             if close_alerts_in_xdr and is_closed:
+                if status:
+                    update_args['status'] = status
+                    demisto.debug(f'Restored {status=} in order to update the alerts status.')
                 update_related_alerts(client, update_args)
 
         else:

Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml

@@ -63,7 +63,7 @@ configuration:
   section: Collect
   advanced: true
   required: false
-- additionalinfo: When selected, closing the Cortex XSOAR incident is mirrored in Cortex XDR.
+- additionalinfo: "When selected, closing the Cortex XSOAR incident is mirrored in Cortex XDR. Notice: If not selected, but 'Close all related alerts in XDR' is selected, the incident will automatically be closed in Cortex XDR."
   defaultvalue: 'true'
   display: Close Mirrored Cortex XDR Incident
   name: close_xdr_incident

Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR_description.md

@@ -22,4 +22,6 @@
 
 **Close-reason default mapping XDR -> XSOAR**: _Known Issue=Other, Duplicate Incident=Duplicate, False Positive=False Positive, True Positive=Resolved, Other=Other, Auto=Resolved_
 
+**Close Mirrored Cortex XDR Incident**: In case this checkbox is not selected but **Close all related alerts in XDR** is selected, the incident will be closed automatically,
+
 [View Integration Documentation](https://xsoar.pan.dev/docs/reference/integrations/cortex-xdr---ir)

Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR_test.py

@@ -729,7 +729,9 @@ def test_update_remote_system_command(incident_changed, delta):
 @pytest.mark.parametrize("data", [
     {'close_reason': 'Resolved', 'status': 'Other'},
     {'CortexXDRIRstatus': 'resolved', 'close_reason': 'Resolved', 'status': 'False Positive'},
-    {'status': 'under_investigation'}
+    {'status': 'under_investigation'},
+    {'status': 'Resolved', 'resolve_comment': 'comment'},
+    {'status': 'False Positive', 'resolve_comment': 'comment'}
 ])
 def test_update_remote_system_command_should_not_close_xdr_incident(mocker, data):
     """
@@ -765,8 +767,20 @@ def test_update_remote_system_command_should_not_close_xdr_incident(mocker, data
     update_args = mock_update_incident_command.call_args[0][1]
     if data.get('status') in XSOAR_RESOLVED_STATUS_TO_XDR:
         assert 'status' not in update_args
+        assert 'resolve_comment' not in update_args
     else:
         assert 'status' in update_args
+        if data.get('resolve_comment'):
+            assert 'resolve_comment' in update_args
+
+    # checks when close_all_alerts is true -> should update only the alerts status
+    client._params['close_alerts_in_xdr'] = True
+    mock_update_related_alerts = mocker.patch('CortexXDRIR.update_related_alerts')
+    update_remote_system_command(client, args)
+
+    if mock_update_related_alerts.called:
+        update_args = mock_update_related_alerts.call_args[0][1]
+        assert 'status' in update_args
 
 
 @freeze_time("1997-10-05 15:00:00 GMT")

Packs/CortexXDR/ReleaseNotes/6_1_91.md

@@ -0,0 +1,6 @@
+#### Integrations
+
+##### Palo Alto Networks Cortex XDR - Investigation and Response
+
+- Fixed an issue with outgoing mirroring when closing an incident in Cortex XSOAR with *close_xdr_incident* set to False resulted in a 500 error.
+- Fixed an issue with outgoing mirroring when closing an incident in Cortex XSOAR with *close_xdr_incident* set to False and *close_alerts_in_xdr* set to True resulted in an error.

Packs/CortexXDR/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Cortex XDR by Palo Alto Networks",
     "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.",
     "support": "xsoar",
-    "currentVersion": "6.1.90",
+    "currentVersion": "6.1.91",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",