diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py index 0f8506777a2a..81d8a014696e 100644 --- a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py +++ b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py @@ -1039,9 +1039,15 @@ def update_remote_system_command(client, args): close_xdr_incident = argToBoolean(client._params.get("close_xdr_incident", True)) + status = "" + # If the client does not want to close the incident in XDR, temporarily remove the status from the arguments + # to update the incident, and add it back later to close the alerts. if not close_xdr_incident and (update_args.get('status') in XSOAR_RESOLVED_STATUS_TO_XDR.values()): status = update_args.pop('status') - demisto.debug(f"Popped {status=} from update_args, incident status won't be updated in XDR.") + resolve_comment = update_args.pop('resolve_comment', None) + + demisto.debug(f"Popped status {status} and {resolve_comment=} from update_args," + f" incident status won't be updated in XDR.") update_incident_command(client, update_args) @@ -1051,6 +1057,9 @@ def update_remote_system_command(client, args): if is_closed and closed_without_status and remote_is_already_closed: update_args['status'] = current_remote_status if close_alerts_in_xdr and is_closed: + if status: + update_args['status'] = status + demisto.debug(f'Restored {status=} in order to update the alerts status.') update_related_alerts(client, update_args) else: diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml index 92cbfa4c0452..a7a770895396 100644 --- a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml +++ b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml @@ -63,7 +63,7 @@ configuration: section: Collect advanced: true required: false -- additionalinfo: When selected, closing the Cortex XSOAR incident is mirrored in Cortex XDR. +- additionalinfo: "When selected, closing the Cortex XSOAR incident is mirrored in Cortex XDR. Notice: If not selected, but 'Close all related alerts in XDR' is selected, the incident will automatically be closed in Cortex XDR." defaultvalue: 'true' display: Close Mirrored Cortex XDR Incident name: close_xdr_incident diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR_description.md b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR_description.md index 0378911476cb..8dce5e7773ce 100644 --- a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR_description.md +++ b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR_description.md @@ -22,4 +22,6 @@ **Close-reason default mapping XDR -> XSOAR**: _Known Issue=Other, Duplicate Incident=Duplicate, False Positive=False Positive, True Positive=Resolved, Other=Other, Auto=Resolved_ +**Close Mirrored Cortex XDR Incident**: In case this checkbox is not selected but **Close all related alerts in XDR** is selected, the incident will be closed automatically, + [View Integration Documentation](https://xsoar.pan.dev/docs/reference/integrations/cortex-xdr---ir) diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR_test.py b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR_test.py index 635dea3e6d63..742cf3733eec 100644 --- a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR_test.py +++ b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR_test.py @@ -729,7 +729,9 @@ def test_update_remote_system_command(incident_changed, delta): @pytest.mark.parametrize("data", [ {'close_reason': 'Resolved', 'status': 'Other'}, {'CortexXDRIRstatus': 'resolved', 'close_reason': 'Resolved', 'status': 'False Positive'}, - {'status': 'under_investigation'} + {'status': 'under_investigation'}, + {'status': 'Resolved', 'resolve_comment': 'comment'}, + {'status': 'False Positive', 'resolve_comment': 'comment'} ]) def test_update_remote_system_command_should_not_close_xdr_incident(mocker, data): """ @@ -765,8 +767,20 @@ def test_update_remote_system_command_should_not_close_xdr_incident(mocker, data update_args = mock_update_incident_command.call_args[0][1] if data.get('status') in XSOAR_RESOLVED_STATUS_TO_XDR: assert 'status' not in update_args + assert 'resolve_comment' not in update_args else: assert 'status' in update_args + if data.get('resolve_comment'): + assert 'resolve_comment' in update_args + + # checks when close_all_alerts is true -> should update only the alerts status + client._params['close_alerts_in_xdr'] = True + mock_update_related_alerts = mocker.patch('CortexXDRIR.update_related_alerts') + update_remote_system_command(client, args) + + if mock_update_related_alerts.called: + update_args = mock_update_related_alerts.call_args[0][1] + assert 'status' in update_args @freeze_time("1997-10-05 15:00:00 GMT") diff --git a/Packs/CortexXDR/ReleaseNotes/6_1_91.md b/Packs/CortexXDR/ReleaseNotes/6_1_91.md new file mode 100644 index 000000000000..026bb8fff31c --- /dev/null +++ b/Packs/CortexXDR/ReleaseNotes/6_1_91.md @@ -0,0 +1,6 @@ +#### Integrations + +##### Palo Alto Networks Cortex XDR - Investigation and Response + +- Fixed an issue with outgoing mirroring when closing an incident in Cortex XSOAR with *close_xdr_incident* set to False resulted in a 500 error. +- Fixed an issue with outgoing mirroring when closing an incident in Cortex XSOAR with *close_xdr_incident* set to False and *close_alerts_in_xdr* set to True resulted in an error. \ No newline at end of file diff --git a/Packs/CortexXDR/pack_metadata.json b/Packs/CortexXDR/pack_metadata.json index 2f4f816abdba..1d51f5f6aaa2 100644 --- a/Packs/CortexXDR/pack_metadata.json +++ b/Packs/CortexXDR/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cortex XDR by Palo Alto Networks", "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.", "support": "xsoar", - "currentVersion": "6.1.90", + "currentVersion": "6.1.91", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",