Skip to content

Add Critical severity to SOCRadarIncidents#44462

Open
Radargoger wants to merge 18 commits into
demisto:contrib/Radargoger_contrib/Radargoger_socradar-critical-severityfrom
Radargoger:contrib/Radargoger_socradar-critical-severity
Open

Add Critical severity to SOCRadarIncidents#44462
Radargoger wants to merge 18 commits into
demisto:contrib/Radargoger_contrib/Radargoger_socradar-critical-severityfrom
Radargoger:contrib/Radargoger_socradar-critical-severity

Conversation

@Radargoger
Copy link
Copy Markdown
Contributor

@Radargoger Radargoger commented May 29, 2026
edited by marketplace-content-sync
Loading

Summary

  • Added Critical severity level support to SOCRadarIncidents integration
  • Updated severity mapping, constants, YML config options, and unit tests
  • Bumped pack version to 2.3.1

Test plan

  • Verify Critical severity is available in the integration configuration dropdown
  • Verify incidents with CRITICAL severity are correctly mapped to XSOAR severity 4
  • Run unit tests to confirm severity mapping works

relates: https://jira-dc.paloaltonetworks.com/browse/CIAC-16937

@content-bot content-bot added Contribution Thank you! Contributions are always welcome! External PR Partner Support Level Indicates that the contribution is for Partner supported pack labels May 29, 2026
@content-bot content-bot changed the base branch from master to contrib/Radargoger_contrib/Radargoger_socradar-critical-severity May 29, 2026 20:11
@content-bot content-bot requested a review from kamalq97 May 29, 2026 20:11
@content-bot
Copy link
Copy Markdown
Contributor

content-bot commented May 29, 2026

Thank you for your contribution. Your generosity and caring are unrivaled! Make sure to register your contribution by filling the Contribution Registration form, so our content wizard @kamalq97 will know the proposed changes are ready to be reviewed.
For your convenience, here is a link to the contributions SLAs document.

@content-bot
Copy link
Copy Markdown
Contributor

content-bot commented May 29, 2026

Hi @Radargoger, thanks for contributing to the XSOAR marketplace. To receive credit for your generous contribution please follow this link.

@content-bot
Copy link
Copy Markdown
Contributor

content-bot commented May 29, 2026

🤖 AI-Powered Code Review Available

Hi @kamalq97, you can leverage AI-powered code review to assist with this PR!

Available Commands:

  • @marketplace-ai-reviewer start review - Initiate a full AI code review
  • @marketplace-ai-reviewer re-review - Incremental review for new commits

Radargoger added 5 commits May 29, 2026 23:13
@Radargoger
Migrate SOCRadarIncidents API Key to type 9 encrypted credential
ba9b274
@Radargoger
Add enriched incident fields to SOCRadarIncidentsV4
e4517d6 
Map missing custom fields from API response: response, mitigation,
detection & analysis, post-incident analysis, compliance frameworks,
related assets, related entities, incident link, and content.
@Radargoger
Add parametric include toggles for enrichment fields in SOCRadarIncid…
4a104aa 
…entsV4

Users can now enable/disable each enrichment field via YML checkboxes:
Include Mitigation, Include Response, Include Detection And Analysis,
Include Post Incident Analysis, Include Compliance, Include Related Assets,
Include Related Entities. All default to true.
@Radargoger
Truncate compliance string at 3072 chars to prevent oversized incidents
f31d0ac
@Radargoger
Improve tooltip descriptions for include field parameters
4d8bc34
@content-bot content-bot added Partner-Approved Contribution Form Filled Whether contribution form filled or not. Partner labels May 29, 2026
Radargoger added 12 commits May 29, 2026 23:47
@Radargoger
Add include_company_id toggle, migrate V4 apikey to type 9, set inclu…
29be51a 
…de defaults to false
@Radargoger
Fix apikey parsing for backward compatibility with type 4 and type 9
9d518e1
@Radargoger
Add debug logging for include_company_id troubleshooting
7f45d6c
@Radargoger
Fix NoneType crash in fetch-incidents and improve alarm title fallback
8cc2c96
@Radargoger
Fix company_id not appearing in V4 incidents by adding it to rawJSON
4f14fb9
@Radargoger
Handle API response where data is list when include_total_records is …
dee457d 
…false
@Radargoger
Pass include_company_id to API so company_id is returned in alarm data
1c43967
@Radargoger
Promote mitigation and detection_and_analysis to top-level rawJSON fi…
d00bf57 
…elds
@Radargoger
Fix duplicate incident error by not subtracting fetch_interval from l…
6c9ed96 
…ast_fetch
@Radargoger
Fix duplicate company_id in rawJSON - use API's company_id field inst…
9cd15ac 
…ead of adding extra
@Radargoger
Rename socradar_company_id to company_id in rawJSON for consistency
3d7c543
@Radargoger
Only promote mitigation, detection, post_incident and response to raw…
4038799 
…JSON when include is enabled
@kamalq97 kamalq97 added ready-for-instance-test In contribution PRs, this label will cause a trigger of a build with a modified pack from the PR. ready-for-ai-review The PR is ready for reviewing the PR with the AI Reviewer. labels May 31, 2026
@marketplace-ai-reviewer marketplace-ai-reviewer removed the ready-for-ai-review The PR is ready for reviewing the PR with the AI Reviewer. label May 31, 2026
@marketplace-ai-reviewer
Copy link
Copy Markdown
Contributor

marketplace-ai-reviewer commented May 31, 2026

🤖 Analysis started. Please wait for results...

@marketplace-ai-reviewer
Copy link
Copy Markdown
Contributor

marketplace-ai-reviewer commented May 31, 2026

🤖 AI Review Disclaimer

This review was generated by an AI-powered tool and may contain inaccuracies. Please be advised, and we extend our sincere apologies for any inconvenience this may cause.

marketplace-ai-reviewer
marketplace-ai-reviewer reviewed May 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@marketplace-ai-reviewer marketplace-ai-reviewer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for submitting your PR!
Before moving on with the detailed review, please take a moment to address the following general comments.

  • The PR description only mentions adding the 'Critical' severity, but the code changes include adding new incident fields, changing the API key parameter to a password type, and adding multiple new configuration parameters to both SOCRadar integrations. Please update the PR title and description to accurately reflect all these additions, or split the PR into smaller, focused changes.

@content-bot
Copy link
Copy Markdown
Contributor

content-bot commented May 31, 2026

For the Reviewer: Trigger build request has been accepted for this contribution PR.

@content-bot
Copy link
Copy Markdown
Contributor

content-bot commented May 31, 2026

For the Reviewer: Successfully created a pipeline in GitLab with url: https://gitlab.xdr.pan.local/xdr/cortex-content/content/-/pipelines/9652662

@content-bot content-bot removed the ready-for-instance-test In contribution PRs, this label will cause a trigger of a build with a modified pack from the PR. label May 31, 2026
@kamalq97
Copy link
Copy Markdown
Contributor

kamalq97 commented May 31, 2026

Hi @Radargoger

Could you please update the PR description as requested by the @marketplace-ai-reviewer ?

Additionally, could you please address the following validation errors? (note that IF115 can be ignored via the .pack-ignore file).

Packs/SOCRadar/IncidentFields/incidentfield-SOCRadar_Incident_Link.json: [IF115] - Incident fields should have `unsearchable` set to true. Otherwise, the platform will index the data in this field, potentially affecting performance and disk usage. To suppress this validation, use the .pack-ignore file.
Packs/SOCRadar/IncidentFields/incidentfield-SOCRadar_Company_ID.json: [IF115] - Incident fields should have `unsearchable` set to true. Otherwise, the platform will index the data in this field, potentially affecting performance and disk usage. To suppress this validation, use the .pack-ignore file.
Packs/SOCRadar/IncidentFields/incidentfield-SOCRadar_Compliance.json: [IF115] - Incident fields should have `unsearchable` set to true. Otherwise, the platform will index the data in this field, potentially affecting performance and disk usage. To suppress this validation, use the .pack-ignore file.
Packs/SOCRadar/IncidentFields/incidentfield-SOCRadar_Detection_And_Analysis.json: [IF115] - Incident fields should have `unsearchable` set to true. Otherwise, the platform will index the data in this field, potentially affecting performance and disk usage. To suppress this validation, use the .pack-ignore file.
Packs/SOCRadar/IncidentFields/incidentfield-SOCRadar_Post_Incident_Analysis.json: [IF115] - Incident fields should have `unsearchable` set to true. Otherwise, the platform will index the data in this field, potentially affecting performance and disk usage. To suppress this validation, use the .pack-ignore file.
Packs/SOCRadar/IncidentFields/incidentfield-SOCRadar_Response.json: [IF115] - Incident fields should have `unsearchable` set to true. Otherwise, the platform will index the data in this field, potentially affecting performance and disk usage. To suppress this validation, use the .pack-ignore file.
Packs/SOCRadar/ReleaseNotes/2_3_1.md: [RN107] - No release note entry was found for the incidentfield "SOCRadar Incident Link" in the SOCRadar pack. Please rerun the update-release-notes command without -u to generate an updated template. If you are trying to exclude an item from the release notes, please refer to the documentation found here - https://xsoar.pan.dev/docs/integrations/changelog#excluding-items
Packs/SOCRadar/ReleaseNotes/2_3_1.md: [RN107] - No release note entry was found for the incidentfield "SOCRadar Company ID" in the SOCRadar pack. Please rerun the update-release-notes command without -u to generate an updated template. If you are trying to exclude an item from the release notes, please refer to the documentation found here - https://xsoar.pan.dev/docs/integrations/changelog#excluding-items
Packs/SOCRadar/ReleaseNotes/2_3_1.md: [RN107] - No release note entry was found for the incidentfield "SOCRadar Compliance" in the SOCRadar pack. Please rerun the update-release-notes command without -u to generate an updated template. If you are trying to exclude an item from the release notes, please refer to the documentation found here - https://xsoar.pan.dev/docs/integrations/changelog#excluding-items
Packs/SOCRadar/ReleaseNotes/2_3_1.md: [RN107] - No release note entry was found for the incidentfield "SOCRadar Detection And Analysis" in the SOCRadar pack. Please rerun the update-release-notes command without -u to generate an updated template. If you are trying to exclude an item from the release notes, please refer to the documentation found here - https://xsoar.pan.dev/docs/integrations/changelog#excluding-items
Packs/SOCRadar/ReleaseNotes/2_3_1.md: [RN107] - No release note entry was found for the incidentfield "SOCRadar Post Incident Analysis" in the SOCRadar pack. Please rerun the update-release-notes command without -u to generate an updated template. If you are trying to exclude an item from the release notes, please refer to the documentation found here - https://xsoar.pan.dev/docs/integrations/changelog#excluding-items
Packs/SOCRadar/ReleaseNotes/2_3_1.md: [RN107] - No release note entry was found for the incidentfield "SOCRadar Response" in the SOCRadar pack. Please rerun the update-release-notes command without -u to generate an updated template. If you are trying to exclude an item from the release notes, please refer to the documentation found here - https://xsoar.pan.dev/docs/integrations/changelog#excluding-items

Please let me know when ready for a review.

@kamalq97 kamalq97 added the pending-contributor The PR is pending the response of its creator label May 31, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marketplace-ai-reviewer marketplace-ai-reviewer marketplace-ai-reviewer left review comments

@kamalq97 kamalq97 Awaiting requested review from kamalq97

At least 1 approving review is required to merge this pull request.

Assignees

@kamalq97 kamalq97

Labels

Contribution Form Filled Whether contribution form filled or not. Contribution Thank you! Contributions are always welcome! External PR Partner Support Level Indicates that the contribution is for Partner supported pack Partner Partner-Approved pending-contributor The PR is pending the response of its creator

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Radargoger @content-bot @marketplace-ai-reviewer @kamalq97