[Marketplace Contribution] Microsoft Sentinel - Content Pack Update (demisto#39230) (demisto#39322)

* "contribution update to pack 'Microsoft Sentinel'"

* Revert unwanted changes

* Update Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.yml



* Update Packs/AzureSentinel/Integrations/AzureSentinel/README.md



* Update Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.yml



* Revert unwanted changes part 2

* Aligned tests to the input type change

* update release notes

* fix unittest

* Update Packs/AzureSentinel/ReleaseNotes/1_5_60.md



* fix

* Added a note to the readme regarding the debugger panel (demisto#39243)

* CRTX-133204-Trellix_ePO-fix (demisto#39248)

* changed metadata file

* added release notes

* added release notes

---------



* fix: get mapping fields function does not except any arguments (demisto#38786) (demisto#39261)

* fix: get mapping fields function does not except any arguments

* feat: add Bryan van der Net to CONTRIBUTORS.json

* fix: update SentinelOne V2 integration to resolve mapping fields error and enhance configuration sections

* fix: update Docker image version for SentinelOne V2 integration

* docs: update Docker image version in release notes for SentinelOne V2 integration

* Update Packs/SentinelOne/Integrations/SentinelOne-V2/SentinelOne-V2.yml



* Update Packs/SentinelOne/Integrations/SentinelOne-V2/SentinelOne-V2.yml



* Update Packs/SentinelOne/ReleaseNotes/3_2_37.md



* Update Packs/SentinelOne/Integrations/SentinelOne-V2/SentinelOne-V2.yml



* style: pr still showing changes on the release notes

* Bump version and generate release notes



* revert: revert config changes

* chore: bump version and update release notes

* style: undo random formatting changes

---------





* Modeling rules modification - CRTX-151278 (demisto#39103)

* Modified modeling rule after the modification of the integration

* Fixed schema file

* Added release note and modified modeling rule

* Pack's version update

* Update Packs/qualys/ReleaseNotes/3_2_4.md



* Modified modeling rule

* Bump pack from version qualys to 3.2.5.

* Added xdm.event.type to assets events

* Added tag

* Fixed schema file

* Fixed schema file

---------




* Update Pan-OS playbook for supporting version 11 (demisto#39249)

* added itamar (demisto#39265)

* Added the validate-validation-config-file hook to content (demisto#39260)

* Added the validate-validation-config-file hook to content

* fixes

* fix validations

* Automation research releases (demisto#39270)

* new playbook - First Azure AD PowerShell operation for a user (demisto#39159)

* new playbook

* RN

* description fixed

* added ignore

* Bump pack from version CortexResponseAndRemediation to 1.1.25.

* Update Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-First_Azure_AD_PowerShell_operation_for_a_user.yml



* Update Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-First_Azure_AD_PowerShell_operation_for_a_user.yml



* Update Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-First_Azure_AD_PowerShell_operation_for_a_user.yml



* Update Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-First_Azure_AD_PowerShell_operation_for_a_user.yml



* Update Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-First_Azure_AD_PowerShell_operation_for_a_user.yml



* Update Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-First_Azure_AD_PowerShell_operation_for_a_user.yml



* Update Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-First_Azure_AD_PowerShell_operation_for_a_user.yml



* Update Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-First_Azure_AD_PowerShell_operation_for_a_user.yml



* Update Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-First_Azure_AD_PowerShell_operation_for_a_user.yml



* task description

* position fix

* fix for old link to documentation

* continue on error

* fix

* skip if

* fix

* fix

* added issilent: true

---------





* Automation Research Release - 1 (demisto#39269)

* fix: get mapping fields function does not except any arguments (demisto#38786) (demisto#39261)

* fix: get mapping fields function does not except any arguments

* feat: add Bryan van der Net to CONTRIBUTORS.json

* fix: update SentinelOne V2 integration to resolve mapping fields error and enhance configuration sections

* fix: update Docker image version for SentinelOne V2 integration

* docs: update Docker image version in release notes for SentinelOne V2 integration

* Update Packs/SentinelOne/Integrations/SentinelOne-V2/SentinelOne-V2.yml



* Update Packs/SentinelOne/Integrations/SentinelOne-V2/SentinelOne-V2.yml



* Update Packs/SentinelOne/ReleaseNotes/3_2_37.md



* Update Packs/SentinelOne/Integrations/SentinelOne-V2/SentinelOne-V2.yml



* style: pr still showing changes on the release notes

* Bump version and generate release notes



* revert: revert config changes

* chore: bump version and update release notes

* style: undo random formatting changes

---------





* Modeling rules modification - CRTX-151278 (demisto#39103)

* Modified modeling rule after the modification of the integration

* Fixed schema file

* Added release note and modified modeling rule

* Pack's version update

* Update Packs/qualys/ReleaseNotes/3_2_4.md



* Modified modeling rule

* Bump pack from version qualys to 3.2.5.

* Added xdm.event.type to assets events

* Added tag

* Fixed schema file

* Fixed schema file

---------




* Update Pan-OS playbook for supporting version 11 (demisto#39249)

* added itamar (demisto#39265)

---------











---------













* add codeowner (demisto#39272)

* [GenericPolling] Update docs (demisto#39250)

* RN

* Update Packs/CommonPlaybooks/ReleaseNotes/2_6_55.md



* Update Packs/CommonPlaybooks/ReleaseNotes/2_6_55.md



---------




* edit readme file (demisto#39196)

* edit readme file

* documentation after tech writing fixes

* fix to soft break (line break)

* improve images resolution

* change permission list to bullet style

* [Code owners] Update ContentManagement with talzich (demisto#39284)

* Platform content support merge gateway (demisto#39268)

* batch_1 (demisto#39162)

* Adopt 'platform' MP to content packs #2 (demisto#39163)

* batch_2

* revert incorrect changes

* revert incorrect changes

* remove identity_threat

---------



* Adopt 'platform' MP to content packs demisto#3 (demisto#39164)

* batch_3

* remove identity_threat

---------



* batch_4 (demisto#39165)

* Adopt 'platform' MP to content packs demisto#6 (demisto#39167)

* batch_6

* revert incorrect changes

* batch_7 (demisto#39168)

* Adopt 'platform' MP to content packs #8 (demisto#39169)

* batch_8

* revert incorrect changes

* Update Packs/CommonScripts/pack_metadata.json

---------



* Adopt 'platform' MP to content packs demisto#9 (demisto#39170)

* batch_9

* revert quick actions

* revert incorrect changes

* revert incorrect changes

* batch_5 (demisto#39232)

* batch_10 (demisto#39171)

* batch_11 (demisto#39172)

* Adopt 'platform' MP to content packs #12 (demisto#39173)

* batch_12

* revert incorrect changes

* batch_13 (demisto#39174)

* Adopt 'platform' MP to content packs demisto#14 (demisto#39175)

* batch_14

* revert incorrect changes

* Adopt 'platform' MP to content packs demisto#15 (demisto#39176)

* batch_15

* Update Packs/FiltersAndTransformers/pack_metadata.json

---------



* batch_16 (demisto#39177)

* batch_17 (demisto#39178)

* Adopt 'platform' MP to content packs demisto#18 (demisto#39179)

* batch_18

* revert incorrect changes

* Adopt 'platform' MP to content packs demisto#19 (demisto#39180)

* batch_19

* Update Packs/Jira/pack_metadata.json

---------



* batch_20 (demisto#39181)

* Adopt 'platform' MP to content packs demisto#21 (demisto#39182)

* batch_21

* revert incorrect changes

* remove identity_threat

---------



* Adopt 'platform' MP to content packs demisto#22 (demisto#39183)

* batch_22

* revert incorrect changes

* Update Packs/Office365AndAzureAuditLog/pack_metadata.json

---------



* batch_24 (demisto#39185)

* Adopt 'platform' MP to content packs demisto#25 (demisto#39186)

* batch_25

* Update Packs/PingIdentity/pack_metadata.json

* Update Packs/PrismaAccess/pack_metadata.json

---------



* Adopt 'platform' MP to content packs demisto#26 (demisto#39187)

* batch_26

* revert incorrect changes

* Adopt 'platform' MP to content packs #27 (demisto#39188)

* batch_27

* revert incorrect changes

* Adopt 'platform' MP to content packs demisto#28 (demisto#39189)

* batch_28

* revert incorrect changes

* remove identity_threat

---------



* Adopt 'platform' MP to content packs demisto#29 (demisto#39190)

* batch_29

* revert incorrect changes

* Update Packs/Slack/pack_metadata.json

---------



* batch_30 (demisto#39191)

* batch_31 (demisto#39192)

* Adopt 'platform' MP to content packs demisto#32 (demisto#39193)

* batch_32

* Update Packs/Workday/pack_metadata.json

---------



* batch_33 (demisto#39194)

* Adopt 'platform' MP to content packs demisto#23 (demisto#39184)

* batch_23

* revert incorrect changes

* remove identity_threat

---------



* fix json

* limit common scripts

* fix Core layouts

* fix Core layouts

---------




* IBM HA - add "haIntegrationEventID" to multiple integrations (demisto#38846)

* add haIntegrationEventID key to qradar incidents

* added rn

* fixes

* in progress

* reverts & preperation

* tests fixes

* added haIntegrationEventID to more itnegrations

* added rns

* fixes

* fixes

* added sections to uptycs

* work in progress, save before testing

* working windows integration

* done all 9 integrations

* added rns

* fix proof point

* fix unit test

* validations fixes

* validations fixes

* reverts

* update uptycs contacts

* update rns

* update rns

* revert ms atp

* reverts

* reverts

* updated docker

* fixed empty offset issue

* added rn

* reverts

* Add ICDM Integration (demisto#38982) (demisto#39283)

* Add ICDM Integration

* Fix Formatting and Pipeline errors

* Update Sections

* Minor changes and refactors to address Review comments

* Fix Unit test for network indicator

* do not use deprecated method utcnow()

* Fix context path and format readable output of Protection Commands

* Update Readme

* Fix version info in Readme



* Box Quick Update (demisto#39267)

* Updated README and pack_metadata

* Updated README

* Update Packs/Box/README.md



* Update Packs/Box/README.md



* Update Packs/Box/README.md



* Update Packs/Box/README.md



---------



* [Trellix_ePO] Remove MP xsoar (demisto#39296)

* hide pack (demisto#39290) (demisto#39294)



* CortexCoreIR: added `quick actions` commands (demisto#38663)

* added prettynames placeholder

* added quickaction

* update prettypredefined

* capital prettyPredefined

* update prettypredefined

* JUST FOR TEST SDK FIX

* correct prettypredefined

* test script

* uuse sdk from branch

* added supportedModules

* adding the wrapper commands

* remove "platform" properties from script

* revert poetry changes

* remove quick action from the orig command

* correct the name of quick actions

* fix wrong

* update CoreIR integration with IA related & py code

* PM changes

* restore pack_metadata

* replace placeholders

* run ruff format after merge master

* added RN

* fix alert

* update the RN

---------



* drop CortexVulnerabilityManagement from platform (demisto#39299)

* Nivbs/ciac 13013 quick actions (demisto#38979)

* Added first draft for Quick action: Create Issue in Jira

* Added first draft for Quick action: Create ServiceNow Ticket

* Fixing Items in JIRA quick action

* Adding Corrects Fields in Open Service Now Ticket

* Quick Action Slack Integration

* Quick Action MSFT Teams Integration

* re-format the ${issue} syntax after clarifications

* Adding Platform to pack_metadata.json

* Updating pack_metadata.json for all Packs, according to platform-content-support

* update supportsquickactions to higher scope
adding hidden to relevant quiack-action cmds

* Update slack to slackV3

* Remove deprecated arguments from JIRA cmd

* Update default Value in Jira

* Update Docker images versions

* Update Release notes for quick actions Packs

* Adding supports quick action for slack V3

* Change order of pre-defined options

* Change defaultValue to predefined

* Change pretty name for short_description in ServiceNowv2.yml

* Remove prettyname for non required params

* Update JiraV3.yml according to design changes

* Update MicrosoftTeams.yml according to design changes

* Update SlackV3.yml according to design changes

* Update ServiceNowv2.yml according to design changes

* Change from issue to alert keyword

* Fixes After demo: Remove user option from teams and slack. Remove defaultValue from Servicenow TicketType

* After Server fix - change from alert to issue keyword

* Update Packs/Slack/ReleaseNotes/3_5_11.md



* Update Packs/Slack/ReleaseNotes/3_5_11.md



* Update Packs/ServiceNow/ReleaseNotes/2_7_8.md



* Update Packs/ServiceNow/Integrations/ServiceNowv2/ServiceNowv2.yml



* Update Packs/Jira/Integrations/JiraV3/JiraV3.yml



* Update Packs/Jira/Integrations/JiraV3/JiraV3.yml



* Update Packs/Jira/ReleaseNotes/3_2_16.md



* Update Packs/MicrosoftTeams/ReleaseNotes/1_5_17.md



* Update Packs/MicrosoftTeams/ReleaseNotes/1_5_17.md



* Update Packs/ServiceNow/Integrations/ServiceNowv2/ServiceNowv2.yml



* Update Packs/MicrosoftTeams/ReleaseNotes/1_5_17.md



* Update Packs/MicrosoftTeams/ReleaseNotes/1_5_17.md



* Update Packs/ServiceNow/Integrations/ServiceNowv2/ServiceNowv2.yml



* Apply suggestions from code review



* Update release note file name

* Update description after pre commit notes

* Create 3_5_12.md

* Update Descriptions and params after product meeting

* Revert "Create 3_5_12.md"

This reverts commit 348e186.

* Because of ST failed - update description in commands

* batch_1 (demisto#39162)

* Adopt 'platform' MP to content packs #2 (demisto#39163)

* batch_2

* revert incorrect changes

* revert incorrect changes

* remove identity_threat

---------



* Adopt 'platform' MP to content packs demisto#3 (demisto#39164)

* batch_3

* remove identity_threat

---------



* batch_4 (demisto#39165)

* Adopt 'platform' MP to content packs demisto#6 (demisto#39167)

* batch_6

* revert incorrect changes

* batch_7 (demisto#39168)

* Adopt 'platform' MP to content packs #8 (demisto#39169)

* batch_8

* revert incorrect changes

* Update Packs/CommonScripts/pack_metadata.json

---------



* Adopt 'platform' MP to content packs demisto#9 (demisto#39170)

* batch_9

* revert quick actions

* revert incorrect changes

* revert incorrect changes

* batch_5 (demisto#39232)

* batch_10 (demisto#39171)

* batch_11 (demisto#39172)

* Adopt 'platform' MP to content packs #12 (demisto#39173)

* batch_12

* revert incorrect changes

* batch_13 (demisto#39174)

* Adopt 'platform' MP to content packs demisto#14 (demisto#39175)

* batch_14

* revert incorrect changes

* Adopt 'platform' MP to content packs demisto#15 (demisto#39176)

* batch_15

* Update Packs/FiltersAndTransformers/pack_metadata.json

---------



* batch_16 (demisto#39177)

* batch_17 (demisto#39178)

* Adopt 'platform' MP to content packs demisto#18 (demisto#39179)

* batch_18

* revert incorrect changes

* Adopt 'platform' MP to content packs demisto#19 (demisto#39180)

* batch_19

* Update Packs/Jira/pack_metadata.json

---------



* batch_20 (demisto#39181)

* Adopt 'platform' MP to content packs demisto#21 (demisto#39182)

* batch_21

* revert incorrect changes

* remove identity_threat

---------



* Adopt 'platform' MP to content packs demisto#22 (demisto#39183)

* batch_22

* revert incorrect changes

* Update Packs/Office365AndAzureAuditLog/pack_metadata.json

---------



* batch_24 (demisto#39185)

* Adopt 'platform' MP to content packs demisto#25 (demisto#39186)

* batch_25

* Update Packs/PingIdentity/pack_metadata.json

* Update Packs/PrismaAccess/pack_metadata.json

---------



* Adopt 'platform' MP to content packs demisto#26 (demisto#39187)

* batch_26

* revert incorrect changes

* Adopt 'platform' MP to content packs #27 (demisto#39188)

* batch_27

* revert incorrect changes

* Adopt 'platform' MP to content packs demisto#28 (demisto#39189)

* batch_28

* revert incorrect changes

* remove identity_threat

---------



* Adopt 'platform' MP to content packs demisto#29 (demisto#39190)

* batch_29

* revert incorrect changes

* Update Packs/Slack/pack_metadata.json

---------



* batch_30 (demisto#39191)

* batch_31 (demisto#39192)

* Adopt 'platform' MP to content packs demisto#32 (demisto#39193)

* batch_32

* Update Packs/Workday/pack_metadata.json

---------



* batch_33 (demisto#39194)

* Adopt 'platform' MP to content packs demisto#23 (demisto#39184)

* batch_23

* revert incorrect changes

* remove identity_threat

---------



* fix json

* limit common scripts

* Revert "Merge branch 'test-platform-mp' into nivbs/CIAC-13013_Quick_Actions"

This reverts commit 78e897c, reversing
changes made to d2885a5.

* Update release notes before pre commit

* Update release notes before pre commit

* Update current version in pack_metadata.json

* Applying changes to adjust pre-commit tests

* Making sure that send slack message and send teams message dont run as one action

* Updating SlackV3_test.py to support new version

* Revert docker changes in slack and teams because of build not supporting new versions

* Revert slack test changes becuase docker versions were not updated

* Remove Unnecessary description in Teams

---------







* Fix validate content tpb (demisto#39297)

* Increase timeout

* fix tpb yml

* FormatURL does not correctly extract URLs from URLs of type ProofPoint URLDefense v3 (demisto#39086)

* first commit

* add rn

* add tests- urls are from api

* Bump pack from version CommonScripts to 1.19.34.

* improve code

* Bump pack from version ApiModules to 2.2.43.

* add rn

* fix docker

* fix code

* fix pre-commit

* fix pre-commit

* fix pre-commit

* fix pre-commit

* fix test

* Bump pack from version CommonScripts to 1.19.35.

* fix test

* fix test playbook

* fix warnings

* fix warnings

* fix warnings

* fix warnings

---------



* Modified readme file - Proofpoint TAP (demisto#39289)

* Modified readme file

* Update Packs/ProofpointTAP/README.md



---------



* Improve handling of command execution timeout using timed thread in QualysV2 (demisto#39074)

* Updated Silverfort Pack README (demisto#38764) (demisto#39304)

* Updated Silverfort README

* Updated based on ilaredo's feedback

* Trigger build workflow



* Fix for list of techniques in InvestigationDetailedSummaryToTable (demisto#39291)

* fix for customer issue

* FeedDomainTools Release v1.0.1 (demisto#39280) (demisto#39305)

* Add release notes

* Removed release notes

* Add domain discovery feed.

* Added domainrdap feeds

* Add test cases for domainrdap feeds

* Revert hardcoded indicator type

* Remove unnecessary comment

* Update README

* Update release notes



* Fix upload flow core packs validation (demisto#39306)

* update the RN

* empty

* Intense sso failures fix (demisto#39301)

* Change 90 days to 1 day

* Change 90 days to 1 day

* RN

---------

Co-authored-by: xsoar-bot <[email protected]>
Co-authored-by: ROCCO <[email protected]>
Co-authored-by: ispRM <[email protected]>
Co-authored-by: inbalapt1 <[email protected]>
Co-authored-by: [email protected] <[email protected]>
Co-authored-by: Shachar Kidor <[email protected]>
Co-authored-by: sdaniel6 <[email protected]>
Co-authored-by: Shahaf Ben Yakir <[email protected]>
Co-authored-by: bryanster <[email protected]>
Co-authored-by: Jelle Hol <[email protected]>
Co-authored-by: yasta5 <[email protected]>
Co-authored-by: ShirleyDenkberg <[email protected]>
Co-authored-by: Content Bot <[email protected]>
Co-authored-by: Niv Ben Salmon <[email protected]>
Co-authored-by: EyalPintzov <[email protected]>
Co-authored-by: Yuval Hayun <[email protected]>
Co-authored-by: Daniel Rezvani <[email protected]>
Co-authored-by: Karina Fishman <[email protected]>
Co-authored-by: Adi Peretz <[email protected]>
Co-authored-by: Jacob Levy <[email protected]>
Co-authored-by: Arad Carmi <[email protected]>
Co-authored-by: lironcohen272 <[email protected]>
Co-authored-by: Menachem Weinfeld <[email protected]>
Co-authored-by: barryyosi-panw <[email protected]>
Co-authored-by: Israel Lappe <[email protected]>
Co-authored-by: darbel <[email protected]>
Co-authored-by: rundssoar <[email protected]>
Co-authored-by: eepstain <[email protected]>
Co-authored-by: johnnywilkes <[email protected]>
Co-authored-by: Danny_Fried <[email protected]>
Co-authored-by: barryyosi-panw <[email protected]>
Co-authored-by: Tal Zichlinsky <[email protected]>
Co-authored-by: Tal Carmeli <[email protected]>
Co-authored-by: Kamal Qarain <[email protected]>
Co-authored-by: Frank Gasparovic <[email protected]>
Co-authored-by: Andrew Shamah <[email protected]>
Co-authored-by: Bri <[email protected]>
Co-authored-by: Tomer Haimof <[email protected]>
Co-authored-by: RotemAmit <[email protected]>

Author: 37 people

Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py

@@ -473,6 +473,19 @@ def severity_to_level(severity):
     return 0
 
 
+def severity_filter(min_severity):
+    """
+    Create Severity Filter when min_severity >= Low.
+    """
+    severity_levels = ["Low", "Medium", "High"]
+    severity_filter = ""
+    if min_severity in severity_levels:
+        min_level = severity_to_level(min_severity)
+        conditions = [f"properties/severity eq '{s}'" for s in severity_levels if severity_to_level(s) >= min_level]
+        severity_filter = f"and ({ ' or '.join(conditions) })"
+    return severity_filter
+
+
 def generic_list_incident_items(client, incident_id, items_kind, key_in_raw_result, outputs_prefix, xsoar_transformer):
     """
     Get a list of incident's items
@@ -1312,7 +1325,7 @@ def fetch_incidents_additional_info(client: AzureSentinelClient, incidents: List
             incident[info_type] = client.http_request(method, f'incidents/{incident_id}/{info_type}').get(results_key)
 
 
-def fetch_incidents(client: AzureSentinelClient, last_run: dict, first_fetch_time: str, min_severity: int) -> tuple:
+def fetch_incidents(client: AzureSentinelClient, last_run: dict, first_fetch_time: str, min_severity: str) -> tuple:
     """Fetching incidents.
     Args:
         first_fetch_time: The first fetch time.
@@ -1346,21 +1359,23 @@ def fetch_incidents(client: AzureSentinelClient, last_run: dict, first_fetch_tim
 
         latest_created_time_str = latest_created_time.strftime(DATE_FORMAT)
         command_args = {
-            'filter': f'properties/createdTimeUtc ge {latest_created_time_str}',
+            'filter': f'properties/createdTimeUtc ge {latest_created_time_str} {severity_filter(min_severity)}',
             'orderby': 'properties/createdTimeUtc asc',
             'limit': limit
         }
+        demisto.debug(f"Filter query used:{command_args['filter']}")
 
     else:
         demisto.debug("last fetch time is empty, trying to fetch incidents by last incident id")
         latest_created_time = dateparser.parse(last_fetch_time)
         if latest_created_time is None:
             raise DemistoException(f"{last_fetch_time=} couldn't be parsed")
         command_args = {
-            'filter': f'properties/incidentNumber gt {last_incident_number}',
+            'filter': f'properties/incidentNumber gt {last_incident_number} {severity_filter(min_severity)}',
             'orderby': 'properties/incidentNumber asc',
             'limit': limit
         }
+        demisto.debug(f"Filter query used:{command_args['filter']}")
 
     raw_incidents = list_incidents_command(client, command_args, is_fetch_incidents=True).outputs
     if isinstance(raw_incidents, dict):
@@ -1371,14 +1386,14 @@ def fetch_incidents(client: AzureSentinelClient, last_run: dict, first_fetch_tim
 
     fetch_incidents_additional_info(client, raw_incidents)
 
-    return process_incidents(raw_incidents, min_severity,
+    return process_incidents(raw_incidents,
                              latest_created_time, last_incident_number)  # type: ignore[attr-defined]
 
 
 def fetch_incidents_command(client, params):
     # How much time before the first fetch to retrieve incidents
     first_fetch_time = params.get('fetch_time', '3 days').strip()
-    min_severity = severity_to_level(params.get('min_severity', 'Informational'))
+    min_severity = params.get('min_severity', 'Informational')
     # Set and define the fetch incidents command to run after activated via integration settings.
     last_run = demisto.getLastRun()
     demisto.debug(f"Current last run is {last_run}")
@@ -1393,14 +1408,13 @@ def fetch_incidents_command(client, params):
     demisto.incidents(incidents)
 
 
-def process_incidents(raw_incidents: list, min_severity: int, latest_created_time: datetime,
+def process_incidents(raw_incidents: list, latest_created_time: datetime,
                       last_incident_number):
     """Processing the raw incidents
     Args:
         raw_incidents: The incidents that were fetched from the API.
         last_incident_number: The last incident number that was fetched.
         latest_created_time: The latest created time.
-        min_severity: The minimum severity.
 
     Returns:
         A next_run dictionary, and an array of incidents.
@@ -1417,23 +1431,20 @@ def process_incidents(raw_incidents: list, min_severity: int, latest_created_tim
 
         incident_created_time = dateparser.parse(incident.get('CreatedTimeUTC'))
         current_fetch_ids.append(incident.get('ID'))
-        if incident_severity >= min_severity:
-            add_mirroring_fields(incident)
-            xsoar_incident = {
-                'name': '[Azure Sentinel] ' + incident.get('Title'),
-                'occurred': incident.get('CreatedTimeUTC'),
-                'severity': incident_severity,
-                'rawJSON': json.dumps(incident)
-            }
-            incidents.append(xsoar_incident)
-        else:
-            demisto.debug(f"drop creation of {incident.get('IncidentNumber')=} "
-                          f"due to the {incident_severity=} is lower then {min_severity=}")
+        add_mirroring_fields(incident)
+        xsoar_incident = {
+            'name': '[Azure Sentinel] ' + incident.get('Title'),
+            'occurred': incident.get('CreatedTimeUTC'),
+            'severity': incident_severity,
+            'rawJSON': json.dumps(incident)
+        }
 
         # Update last run to the latest fetch time
         if incident_created_time is None:
             raise DemistoException(f"{incident.get('CreatedTimeUTC')=} couldn't be parsed")
 
+        incidents.append(xsoar_incident)
+
         if incident_created_time > latest_created_time:
             latest_created_time = incident_created_time
         if incident.get('IncidentNumber') > last_incident_number:

Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.yml

@@ -196,6 +196,13 @@ configuration:
   section: Collect
   advanced: true
   required: false
+- defaultvalue: '1'
+  display: Incidents Fetch Interval
+  name: incidentFetchInterval
+  required: false
+  type: 19
+  section: Collect
+  advanced: true
 description: "Microsoft Sentinel is a scalable, cloud-native solution that provides: Security information and event management (SIEM) Security orchestration, automation, and response (SOAR)."
 display: Microsoft Sentinel
 name: Azure Sentinel

Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel_test.py

@@ -1273,12 +1273,11 @@ def test_process_incidents(self, args, client, expected_result):
         """
         # prepare
         raw_incidents = [MOCKED_RAW_INCIDENT_OUTPUT.get('value')[0]]
-        min_severity = args.get('min_severity')
         last_incident_number = args.get('last_incident_number')
         latest_created_time = dateparser.parse('2020-02-02T14:05:01.5348545Z')
 
         # run
-        next_run, _ = process_incidents(raw_incidents, min_severity, latest_created_time,
+        next_run, _ = process_incidents(raw_incidents, latest_created_time,
                                         last_incident_number)
 
         # validate
@@ -1307,7 +1306,7 @@ def test_last_run_in_fetch_incidents(self, mocker):
         last_run = {'last_fetch_time': '2022-03-16T13:01:08Z',
                     'last_fetch_ids': []}
         first_fetch_time = '3 days'
-        minimum_severity = 0
+        minimum_severity = 'Informational'
 
         mocker.patch('AzureSentinel.process_incidents', return_value=({}, []))
         mocker.patch.object(client, 'http_request', return_value=MOCKED_INCIDENTS_OUTPUT)
@@ -1340,7 +1339,7 @@ def test_last_run_in_fetch_incidents_duplicates(self, mocker):
         last_run = {'last_fetch_time': '2022-03-16T13:01:08Z',
                     'last_fetch_ids': ['inc_name']}
         first_fetch_time = '3 days'
-        minimum_severity = 0
+        minimum_severity = 'Informational'
 
         process_mock = mocker.patch('AzureSentinel.process_incidents', return_value=({}, []))
         mocker.patch.object(client, 'http_request', return_value=MOCKED_INCIDENTS_OUTPUT)
@@ -1351,7 +1350,7 @@ def test_last_run_in_fetch_incidents_duplicates(self, mocker):
         # validate
         assert not process_mock.call_args[0][0]
 
-    @pytest.mark.parametrize('min_severity, expected_incident_num', [(1, 2), (3, 1)])
+    @pytest.mark.parametrize('min_severity, expected_incident_num', [(1, 2), (3, 2)])
     def test_last_fetched_incident_for_various_severity_levels(self, mocker, min_severity, expected_incident_num):
         """
         Given:
@@ -1370,7 +1369,6 @@ def test_last_fetched_incident_for_various_severity_levels(self, mocker, min_sev
 
         # run
         next_run, incidents = process_incidents(raw_incidents=raw_incidents,
-                                                min_severity=min_severity,
                                                 latest_created_time=latest_created_time,
                                                 last_incident_number=1)
 

Packs/AzureSentinel/ReleaseNotes/1_5_60.md

@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Microsoft Sentinel
+
+- Improved implementation for *The minimum severity of incidents to fetch* parameter.

Packs/AzureSentinel/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Microsoft Sentinel",
     "description": "Microsoft Sentinel is a cloud-native security information and event manager (SIEM) platform that uses built-in AI to help analyze large volumes of data across an enterprise.",
     "support": "xsoar",
-    "currentVersion": "1.5.59",
+    "currentVersion": "1.5.60",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",