[Marketplace Contribution] Microsoft Sentinel - Content Pack Update (#39230)

xsoar-bot · ispRM · inbalapt1 · web-flow · commit 7b30d898532b · 2025-03-27T11:58:41.000+02:00
* "contribution update to pack 'Microsoft Sentinel'" * Revert unwanted changes * Update Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.yml Co-authored-by: inbalapt1 <164751454+inbalapt1@users.noreply.github.com> * Update Packs/AzureSentinel/Integrations/AzureSentinel/README.md Co-authored-by: inbalapt1 <164751454+inbalapt1@users.noreply.github.com> * Update Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.yml Co-authored-by: inbalapt1 <164751454+inbalapt1@users.noreply.github.com> * Revert unwanted changes part 2 * Aligned tests to the input type change * update release notes * fix unittest * Update Packs/AzureSentinel/ReleaseNotes/1_5_60.md Co-authored-by: inbalapt1 <164751454+inbalapt1@users.noreply.github.com> * fix * Added a note to the readme regarding the debugger panel (#39243) * CRTX-133204-Trellix_ePO-fix (#39248) * changed metadata file * added release notes * added release notes --------- Co-authored-by: Shahaf Ben Yakir <44666568+ShahafBenYakir@users.noreply.github.com> * fix: get mapping fields function does not except any arguments (#38786) (#39261) * fix: get mapping fields function does not except any arguments * feat: add Bryan van der Net to CONTRIBUTORS.json * fix: update SentinelOne V2 integration to resolve mapping fields error and enhance configuration sections * fix: update Docker image version for SentinelOne V2 integration * docs: update Docker image version in release notes for SentinelOne V2 integration * Update Packs/SentinelOne/Integrations/SentinelOne-V2/SentinelOne-V2.yml * Update Packs/SentinelOne/Integrations/SentinelOne-V2/SentinelOne-V2.yml * Update Packs/SentinelOne/ReleaseNotes/3_2_37.md * Update Packs/SentinelOne/Integrations/SentinelOne-V2/SentinelOne-V2.yml * style: pr still showing changes on the release notes * Bump version and generate release notes * revert: revert config changes * chore: bump version and update release notes * style: undo random formatting changes --------- Co-authored-by: bryanster <45668775+bryanster@users.noreply.github.com> Co-authored-by: inbalapt1 <164751454+inbalapt1@users.noreply.github.com> Co-authored-by: Jelle Hol <jellehol93@gmail.com> * Modeling rules modification - CRTX-151278 (#39103) * Modified modeling rule after the modification of the integration * Fixed schema file * Added release note and modified modeling rule * Pack's version update * Update Packs/qualys/ReleaseNotes/3_2_4.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Modified modeling rule * Bump pack from version qualys to 3.2.5. * Added xdm.event.type to assets events * Added tag * Fixed schema file * Fixed schema file --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: Content Bot <bot@demisto.com> * Update Pan-OS playbook for supporting version 11 (#39249) * added itamar (#39265) * Added the validate-validation-config-file hook to content (#39260) * Added the validate-validation-config-file hook to content * fixes * fix validations * Automation research releases (#39270) * new playbook - First Azure AD PowerShell operation for a user (#39159) * new playbook * RN * description fixed * added ignore * Bump pack from version CortexResponseAndRemediation to 1.1.25. * Update Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-First_Azure_AD_PowerShell_operation_for_a_user.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-First_Azure_AD_PowerShell_operation_for_a_user.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-First_Azure_AD_PowerShell_operation_for_a_user.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-First_Azure_AD_PowerShell_operation_for_a_user.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-First_Azure_AD_PowerShell_operation_for_a_user.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-First_Azure_AD_PowerShell_operation_for_a_user.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-First_Azure_AD_PowerShell_operation_for_a_user.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-First_Azure_AD_PowerShell_operation_for_a_user.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-First_Azure_AD_PowerShell_operation_for_a_user.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * task description * position fix * fix for old link to documentation * continue on error * fix * skip if * fix * fix * added issilent: true --------- Co-authored-by: Content Bot <bot@demisto.com> Co-authored-by: Adi Peretz <130285835+AdiPeret@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Automation Research Release - 1 (#39269) * fix: get mapping fields function does not except any arguments (#38786) (#39261) * fix: get mapping fields function does not except any arguments * feat: add Bryan van der Net to CONTRIBUTORS.json * fix: update SentinelOne V2 integration to resolve mapping fields error and enhance configuration sections * fix: update Docker image version for SentinelOne V2 integration * docs: update Docker image version in release notes for SentinelOne V2 integration * Update Packs/SentinelOne/Integrations/SentinelOne-V2/SentinelOne-V2.yml * Update Packs/SentinelOne/Integrations/SentinelOne-V2/SentinelOne-V2.yml * Update Packs/SentinelOne/ReleaseNotes/3_2_37.md * Update Packs/SentinelOne/Integrations/SentinelOne-V2/SentinelOne-V2.yml * style: pr still showing changes on the release notes * Bump version and generate release notes * revert: revert config changes * chore: bump version and update release notes * style: undo random formatting changes --------- Co-authored-by: bryanster <45668775+bryanster@users.noreply.github.com> Co-authored-by: inbalapt1 <164751454+inbalapt1@users.noreply.github.com> Co-authored-by: Jelle Hol <jellehol93@gmail.com> * Modeling rules modification - CRTX-151278 (#39103) * Modified modeling rule after the modification of the integration * Fixed schema file * Added release note and modified modeling rule * Pack's version update * Update Packs/qualys/ReleaseNotes/3_2_4.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Modified modeling rule * Bump pack from version qualys to 3.2.5. * Added xdm.event.type to assets events * Added tag * Fixed schema file * Fixed schema file --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: Content Bot <bot@demisto.com> * Update Pan-OS playbook for supporting version 11 (#39249) * added itamar (#39265) --------- Co-authored-by: content-bot <55035720+content-bot@users.noreply.github.com> Co-authored-by: bryanster <45668775+bryanster@users.noreply.github.com> Co-authored-by: inbalapt1 <164751454+inbalapt1@users.noreply.github.com> Co-authored-by: Jelle Hol <jellehol93@gmail.com> Co-authored-by: yasta5 <112320333+yasta5@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: Content Bot <bot@demisto.com> Co-authored-by: Niv Ben Salmon <nbensalmon@paloaltonetworks.com> Co-authored-by: EyalPintzov <91007713+eyalpalo@users.noreply.github.com> --------- Co-authored-by: Karina Fishman <147307864+karinafishman@users.noreply.github.com> Co-authored-by: Content Bot <bot@demisto.com> Co-authored-by: Adi Peretz <130285835+AdiPeret@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: content-bot <55035720+content-bot@users.noreply.github.com> Co-authored-by: bryanster <45668775+bryanster@users.noreply.github.com> Co-authored-by: inbalapt1 <164751454+inbalapt1@users.noreply.github.com> Co-authored-by: Jelle Hol <jellehol93@gmail.com> Co-authored-by: yasta5 <112320333+yasta5@users.noreply.github.com> Co-authored-by: Niv Ben Salmon <nbensalmon@paloaltonetworks.com> Co-authored-by: EyalPintzov <91007713+eyalpalo@users.noreply.github.com> * add codeowner (#39272) * [GenericPolling] Update docs (#39250) * RN * Update Packs/CommonPlaybooks/ReleaseNotes/2_6_55.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/CommonPlaybooks/ReleaseNotes/2_6_55.md Co-authored-by: Arad Carmi <62752352+AradCarmi@users.noreply.github.com> --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: Arad Carmi <62752352+AradCarmi@users.noreply.github.com> * edit readme file (#39196) * edit readme file * documentation after tech writing fixes * fix to soft break (line break) * improve images resolution * change permission list to bullet style * [Code owners] Update ContentManagement with talzich (#39284) * Platform content support merge gateway (#39268) * batch_1 (#39162) * Adopt 'platform' MP to content packs #2 (#39163) * batch_2 * revert incorrect changes * revert incorrect changes * remove identity_threat --------- Co-authored-by: darbel <darbel@paloaltonetworks.com> * Adopt 'platform' MP to content packs #3 (#39164) * batch_3 * remove identity_threat --------- Co-authored-by: darbel <darbel@paloaltonetworks.com> * batch_4 (#39165) * Adopt 'platform' MP to content packs #6 (#39167) * batch_6 * revert incorrect changes * batch_7 (#39168) * Adopt 'platform' MP to content packs #8 (#39169) * batch_8 * revert incorrect changes * Update Packs/CommonScripts/pack_metadata.json --------- Co-authored-by: Dean Arbel <darbel@paloaltonetworks.com> * Adopt 'platform' MP to content packs #9 (#39170) * batch_9 * revert quick actions * revert incorrect changes * revert incorrect changes * batch_5 (#39232) * batch_10 (#39171) * batch_11 (#39172) * Adopt 'platform' MP to content packs #12 (#39173) * batch_12 * revert incorrect changes * batch_13 (#39174) * Adopt 'platform' MP to content packs #14 (#39175) * batch_14 * revert incorrect changes * Adopt 'platform' MP to content packs #15 (#39176) * batch_15 * Update Packs/FiltersAndTransformers/pack_metadata.json --------- Co-authored-by: Dean Arbel <darbel@paloaltonetworks.com> * batch_16 (#39177) * batch_17 (#39178) * Adopt 'platform' MP to content packs #18 (#39179) * batch_18 * revert incorrect changes * Adopt 'platform' MP to content packs #19 (#39180) * batch_19 * Update Packs/Jira/pack_metadata.json --------- Co-authored-by: Dean Arbel <darbel@paloaltonetworks.com> * batch_20 (#39181) * Adopt 'platform' MP to content packs #21 (#39182) * batch_21 * revert incorrect changes * remove identity_threat --------- Co-authored-by: darbel <darbel@paloaltonetworks.com> * Adopt 'platform' MP to content packs #22 (#39183) * batch_22 * revert incorrect changes * Update Packs/Office365AndAzureAuditLog/pack_metadata.json --------- Co-authored-by: Dean Arbel <darbel@paloaltonetworks.com> * batch_24 (#39185) * Adopt 'platform' MP to content packs #25 (#39186) * batch_25 * Update Packs/PingIdentity/pack_metadata.json * Update Packs/PrismaAccess/pack_metadata.json --------- Co-authored-by: Dean Arbel <darbel@paloaltonetworks.com> * Adopt 'platform' MP to content packs #26 (#39187) * batch_26 * revert incorrect changes * Adopt 'platform' MP to content packs #27 (#39188) * batch_27 * revert incorrect changes * Adopt 'platform' MP to content packs #28 (#39189) * batch_28 * revert incorrect changes * remove identity_threat --------- Co-authored-by: darbel <darbel@paloaltonetworks.com> * Adopt 'platform' MP to content packs #29 (#39190) * batch_29 * revert incorrect changes * Update Packs/Slack/pack_metadata.json --------- Co-authored-by: Dean Arbel <darbel@paloaltonetworks.com> * batch_30 (#39191) * batch_31 (#39192) * Adopt 'platform' MP to content packs #32 (#39193) * batch_32 * Update Packs/Workday/pack_metadata.json --------- Co-authored-by: Dean Arbel <darbel@paloaltonetworks.com> * batch_33 (#39194) * Adopt 'platform' MP to content packs #23 (#39184) * batch_23 * revert incorrect changes * remove identity_threat --------- Co-authored-by: darbel <darbel@paloaltonetworks.com> * fix json * limit common scripts * fix Core layouts * fix Core layouts --------- Co-authored-by: Israel Lappe <79846863+ilappe@users.noreply.github.com> Co-authored-by: darbel <darbel@paloaltonetworks.com> * IBM HA - add "haIntegrationEventID" to multiple integrations (#38846) * add haIntegrationEventID key to qradar incidents * added rn * fixes * in progress * reverts & preperation * tests fixes * added haIntegrationEventID to more itnegrations * added rns * fixes * fixes * added sections to uptycs * work in progress, save before testing * working windows integration * done all 9 integrations * added rns * fix proof point * fix unit test * validations fixes * validations fixes * reverts * update uptycs contacts * update rns * update rns * revert ms atp * reverts * reverts * updated docker * fixed empty offset issue * added rn * reverts * Add ICDM Integration (#38982) (#39283) * Add ICDM Integration * Fix Formatting and Pipeline errors * Update Sections * Minor changes and refactors to address Review comments * Fix Unit test for network indicator * do not use deprecated method utcnow() * Fix context path and format readable output of Protection Commands * Update Readme * Fix version info in Readme Co-authored-by: rundssoar <139948408+rundssoar@users.noreply.github.com> * Box Quick Update (#39267) * Updated README and pack_metadata * Updated README * Update Packs/Box/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/Box/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/Box/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/Box/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * [Trellix_ePO] Remove MP xsoar (#39296) * hide pack (#39290) (#39294) Co-authored-by: johnnywilkes <32227961+johnnywilkes@users.noreply.github.com> * CortexCoreIR: added `quick actions` commands (#38663) * added prettynames placeholder * added quickaction * update prettypredefined * capital prettyPredefined * update prettypredefined * JUST FOR TEST SDK FIX * correct prettypredefined * test script * uuse sdk from branch * added supportedModules * adding the wrapper commands * remove "platform" properties from script * revert poetry changes * remove quick action from the orig command * correct the name of quick actions * fix wrong * update CoreIR integration with IA related & py code * PM changes * restore pack_metadata * replace placeholders * run ruff format after merge master * added RN * fix alert * update the RN --------- Co-authored-by: Danny_Fried <dfried@paloaltonetworks.com> * drop CortexVulnerabilityManagement from platform (#39299) * Nivbs/ciac 13013 quick actions (#38979) * Added first draft for Quick action: Create Issue in Jira * Added first draft for Quick action: Create ServiceNow Ticket * Fixing Items in JIRA quick action * Adding Corrects Fields in Open Service Now Ticket * Quick Action Slack Integration * Quick Action MSFT Teams Integration * re-format the ${issue} syntax after clarifications * Adding Platform to pack_metadata.json * Updating pack_metadata.json for all Packs, according to platform-content-support * update supportsquickactions to higher scope adding hidden to relevant quiack-action cmds * Update slack to slackV3 * Remove deprecated arguments from JIRA cmd * Update default Value in Jira * Update Docker images versions * Update Release notes for quick actions Packs * Adding supports quick action for slack V3 * Change order of pre-defined options * Change defaultValue to predefined * Change pretty name for short_description in ServiceNowv2.yml * Remove prettyname for non required params * Update JiraV3.yml according to design changes * Update MicrosoftTeams.yml according to design changes * Update SlackV3.yml according to design changes * Update ServiceNowv2.yml according to design changes * Change from issue to alert keyword * Fixes After demo: Remove user option from teams and slack. Remove defaultValue from Servicenow TicketType * After Server fix - change from alert to issue keyword * Update Packs/Slack/ReleaseNotes/3_5_11.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/Slack/ReleaseNotes/3_5_11.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/ServiceNow/ReleaseNotes/2_7_8.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/ServiceNow/Integrations/ServiceNowv2/ServiceNowv2.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/Jira/Integrations/JiraV3/JiraV3.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/Jira/Integrations/JiraV3/JiraV3.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/Jira/ReleaseNotes/3_2_16.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/MicrosoftTeams/ReleaseNotes/1_5_17.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/MicrosoftTeams/ReleaseNotes/1_5_17.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/ServiceNow/Integrations/ServiceNowv2/ServiceNowv2.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/MicrosoftTeams/ReleaseNotes/1_5_17.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/MicrosoftTeams/ReleaseNotes/1_5_17.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/ServiceNow/Integrations/ServiceNowv2/ServiceNowv2.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update release note file name * Update description after pre commit notes * Create 3_5_12.md * Update Descriptions and params after product meeting * Revert "Create 3_5_12.md" This reverts commit 348e186. * Because of ST failed - update description in commands * batch_1 (#39162) * Adopt 'platform' MP to content packs #2 (#39163) * batch_2 * revert incorrect changes * revert incorrect changes * remove identity_threat --------- Co-authored-by: darbel <darbel@paloaltonetworks.com> * Adopt 'platform' MP to content packs #3 (#39164) * batch_3 * remove identity_threat --------- Co-authored-by: darbel <darbel@paloaltonetworks.com> * batch_4 (#39165) * Adopt 'platform' MP to content packs #6 (#39167) * batch_6 * revert incorrect changes * batch_7 (#39168) * Adopt 'platform' MP to content packs #8 (#39169) * batch_8 * revert incorrect changes * Update Packs/CommonScripts/pack_metadata.json --------- Co-authored-by: Dean Arbel <darbel@paloaltonetworks.com> * Adopt 'platform' MP to content packs #9 (#39170) * batch_9 * revert quick actions * revert incorrect changes * revert incorrect changes * batch_5 (#39232) * batch_10 (#39171) * batch_11 (#39172) * Adopt 'platform' MP to content packs #12 (#39173) * batch_12 * revert incorrect changes * batch_13 (#39174) * Adopt 'platform' MP to content packs #14 (#39175) * batch_14 * revert incorrect changes * Adopt 'platform' MP to content packs #15 (#39176) * batch_15 * Update Packs/FiltersAndTransformers/pack_metadata.json --------- Co-authored-by: Dean Arbel <darbel@paloaltonetworks.com> * batch_16 (#39177) * batch_17 (#39178) * Adopt 'platform' MP to content packs #18 (#39179) * batch_18 * revert incorrect changes * Adopt 'platform' MP to content packs #19 (#39180) * batch_19 * Update Packs/Jira/pack_metadata.json --------- Co-authored-by: Dean Arbel <darbel@paloaltonetworks.com> * batch_20 (#39181) * Adopt 'platform' MP to content packs #21 (#39182) * batch_21 * revert incorrect changes * remove identity_threat --------- Co-authored-by: darbel <darbel@paloaltonetworks.com> * Adopt 'platform' MP to content packs #22 (#39183) * batch_22 * revert incorrect changes * Update Packs/Office365AndAzureAuditLog/pack_metadata.json --------- Co-authored-by: Dean Arbel <darbel@paloaltonetworks.com> * batch_24 (#39185) * Adopt 'platform' MP to content packs #25 (#39186) * batch_25 * Update Packs/PingIdentity/pack_metadata.json * Update Packs/PrismaAccess/pack_metadata.json --------- Co-authored-by: Dean Arbel <darbel@paloaltonetworks.com> * Adopt 'platform' MP to content packs #26 (#39187) * batch_26 * revert incorrect changes * Adopt 'platform' MP to content packs #27 (#39188) * batch_27 * revert incorrect changes * Adopt 'platform' MP to content packs #28 (#39189) * batch_28 * revert incorrect changes * remove identity_threat --------- Co-authored-by: darbel <darbel@paloaltonetworks.com> * Adopt 'platform' MP to content packs #29 (#39190) * batch_29 * revert incorrect changes * Update Packs/Slack/pack_metadata.json --------- Co-authored-by: Dean Arbel <darbel@paloaltonetworks.com> * batch_30 (#39191) * batch_31 (#39192) * Adopt 'platform' MP to content packs #32 (#39193) * batch_32 * Update Packs/Workday/pack_metadata.json --------- Co-authored-by: Dean Arbel <darbel@paloaltonetworks.com> * batch_33 (#39194) * Adopt 'platform' MP to content packs #23 (#39184) * batch_23 * revert incorrect changes * remove identity_threat --------- Co-authored-by: darbel <darbel@paloaltonetworks.com> * fix json * limit common scripts * Revert "Merge branch 'test-platform-mp' into nivbs/CIAC-13013_Quick_Actions" This reverts commit 78e897c, reversing changes made to d2885a5. * Update release notes before pre commit * Update release notes before pre commit * Update current version in pack_metadata.json * Applying changes to adjust pre-commit tests * Making sure that send slack message and send teams message dont run as one action * Updating SlackV3_test.py to support new version * Revert docker changes in slack and teams because of build not supporting new versions * Revert slack test changes becuase docker versions were not updated * Remove Unnecessary description in Teams --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: Israel Lappe <79846863+ilappe@users.noreply.github.com> Co-authored-by: darbel <darbel@paloaltonetworks.com> Co-authored-by: barryyosi-panw <158817412+barryyosi-panw@users.noreply.github.com> Co-authored-by: barryyosi-panw <byosilevich@paloaltonetworks.com> * Fix validate content tpb (#39297) * Increase timeout * fix tpb yml * FormatURL does not correctly extract URLs from URLs of type ProofPoint URLDefense v3 (#39086) * first commit * add rn * add tests- urls are from api * Bump pack from version CommonScripts to 1.19.34. * improve code * Bump pack from version ApiModules to 2.2.43. * add rn * fix docker * fix code * fix pre-commit * fix pre-commit * fix pre-commit * fix pre-commit * fix test * Bump pack from version CommonScripts to 1.19.35. * fix test * fix test playbook * fix warnings * fix warnings * fix warnings * fix warnings --------- Co-authored-by: Content Bot <bot@demisto.com> * Modified readme file - Proofpoint TAP (#39289) * Modified readme file * Update Packs/ProofpointTAP/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Improve handling of command execution timeout using timed thread in QualysV2 (#39074) * Updated Silverfort Pack README (#38764) (#39304) * Updated Silverfort README * Updated based on ilaredo's feedback * Trigger build workflow Co-authored-by: Frank Gasparovic <Frank.Gasparovic@Gmail.com> * Fix for list of techniques in InvestigationDetailedSummaryToTable (#39291) * fix for customer issue * FeedDomainTools Release v1.0.1 (#39280) (#39305) * Add release notes * Removed release notes * Add domain discovery feed. * Added domainrdap feeds * Add test cases for domainrdap feeds * Revert hardcoded indicator type * Remove unnecessary comment * Update README * Update release notes Co-authored-by: Bri <133698148+briluza@users.noreply.github.com> * Fix upload flow core packs validation (#39306) * update the RN * empty * Intense sso failures fix (#39301) * Change 90 days to 1 day * Change 90 days to 1 day * RN --------- Co-authored-by: ROCCO <rocco.mercante@intesasanpaolo.com> Co-authored-by: ispRM <99743409+ispRM@users.noreply.github.com> Co-authored-by: inbalapt1 <164751454+inbalapt1@users.noreply.github.com> Co-authored-by: iapt@paloaltonetworks.com <iapt@paloaltonetworks.com> Co-authored-by: Shachar Kidor <82749224+ShacharKidor@users.noreply.github.com> Co-authored-by: sdaniel6 <sdaniel@paloaltonetworks.com> Co-authored-by: Shahaf Ben Yakir <44666568+ShahafBenYakir@users.noreply.github.com> Co-authored-by: content-bot <55035720+content-bot@users.noreply.github.com> Co-authored-by: bryanster <45668775+bryanster@users.noreply.github.com> Co-authored-by: Jelle Hol <jellehol93@gmail.com> Co-authored-by: yasta5 <112320333+yasta5@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: Content Bot <bot@demisto.com> Co-authored-by: Niv Ben Salmon <nbensalmon@paloaltonetworks.com> Co-authored-by: EyalPintzov <91007713+eyalpalo@users.noreply.github.com> Co-authored-by: Yuval Hayun <70104171+YuvHayun@users.noreply.github.com> Co-authored-by: Daniel Rezvani <drezvani@paloaltonetworks.com> Co-authored-by: Karina Fishman <147307864+karinafishman@users.noreply.github.com> Co-authored-by: Adi Peretz <130285835+AdiPeret@users.noreply.github.com> Co-authored-by: Jacob Levy <129657918+jlevypaloalto@users.noreply.github.com> Co-authored-by: Arad Carmi <62752352+AradCarmi@users.noreply.github.com> Co-authored-by: lironcohen272 <lircohen@paloaltonetworks.com> Co-authored-by: Menachem Weinfeld <90556466+mmhw@users.noreply.github.com> Co-authored-by: barryyosi-panw <158817412+barryyosi-panw@users.noreply.github.com> Co-authored-by: Israel Lappe <79846863+ilappe@users.noreply.github.com> Co-authored-by: darbel <darbel@paloaltonetworks.com> Co-authored-by: rundssoar <139948408+rundssoar@users.noreply.github.com> Co-authored-by: eepstain <116078117+eepstain@users.noreply.github.com> Co-authored-by: johnnywilkes <32227961+johnnywilkes@users.noreply.github.com> Co-authored-by: Danny_Fried <dfried@paloaltonetworks.com> Co-authored-by: barryyosi-panw <byosilevich@paloaltonetworks.com> Co-authored-by: Tal Zichlinsky <35036457+talzich@users.noreply.github.com> Co-authored-by: Tal Carmeli <158452762+tcarmeli1@users.noreply.github.com> Co-authored-by: Kamal Qarain <45042524+kamalq97@users.noreply.github.com> Co-authored-by: Frank Gasparovic <Frank.Gasparovic@Gmail.com> Co-authored-by: Andrew Shamah <42912128+amshamah419@users.noreply.github.com> Co-authored-by: Bri <133698148+briluza@users.noreply.github.com> Co-authored-by: Tomer Haimof <81556849+tomer-pan@users.noreply.github.com> Co-authored-by: RotemAmit <ramit@paloaltonetworks.com>
diff --git a/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py b/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py
@@ -473,6 +473,19 @@ def severity_to_level(severity):
     return 0
 
 
+def severity_filter(min_severity):
+    """
+    Create Severity Filter when min_severity >= Low.
+    """
+    severity_levels = ["Low", "Medium", "High"]
+    severity_filter = ""
+    if min_severity in severity_levels:
+        min_level = severity_to_level(min_severity)
+        conditions = [f"properties/severity eq '{s}'" for s in severity_levels if severity_to_level(s) >= min_level]
+        severity_filter = f"and ({ ' or '.join(conditions) })"
+    return severity_filter
+
+
 def generic_list_incident_items(client, incident_id, items_kind, key_in_raw_result, outputs_prefix, xsoar_transformer):
     """
     Get a list of incident's items
@@ -1312,7 +1325,7 @@ def fetch_incidents_additional_info(client: AzureSentinelClient, incidents: List
             incident[info_type] = client.http_request(method, f'incidents/{incident_id}/{info_type}').get(results_key)
 
 
-def fetch_incidents(client: AzureSentinelClient, last_run: dict, first_fetch_time: str, min_severity: int) -> tuple:
+def fetch_incidents(client: AzureSentinelClient, last_run: dict, first_fetch_time: str, min_severity: str) -> tuple:
     """Fetching incidents.
     Args:
         first_fetch_time: The first fetch time.
@@ -1346,21 +1359,23 @@ def fetch_incidents(client: AzureSentinelClient, last_run: dict, first_fetch_tim
 
         latest_created_time_str = latest_created_time.strftime(DATE_FORMAT)
         command_args = {
-            'filter': f'properties/createdTimeUtc ge {latest_created_time_str}',
+            'filter': f'properties/createdTimeUtc ge {latest_created_time_str} {severity_filter(min_severity)}',
             'orderby': 'properties/createdTimeUtc asc',
             'limit': limit
         }
+        demisto.debug(f"Filter query used:{command_args['filter']}")
 
     else:
         demisto.debug("last fetch time is empty, trying to fetch incidents by last incident id")
         latest_created_time = dateparser.parse(last_fetch_time)
         if latest_created_time is None:
             raise DemistoException(f"{last_fetch_time=} couldn't be parsed")
         command_args = {
-            'filter': f'properties/incidentNumber gt {last_incident_number}',
+            'filter': f'properties/incidentNumber gt {last_incident_number} {severity_filter(min_severity)}',
             'orderby': 'properties/incidentNumber asc',
             'limit': limit
         }
+        demisto.debug(f"Filter query used:{command_args['filter']}")
 
     raw_incidents = list_incidents_command(client, command_args, is_fetch_incidents=True).outputs
     if isinstance(raw_incidents, dict):
@@ -1371,14 +1386,14 @@ def fetch_incidents(client: AzureSentinelClient, last_run: dict, first_fetch_tim
 
     fetch_incidents_additional_info(client, raw_incidents)
 
-    return process_incidents(raw_incidents, min_severity,
+    return process_incidents(raw_incidents,
                              latest_created_time, last_incident_number)  # type: ignore[attr-defined]
 
 
 def fetch_incidents_command(client, params):
     # How much time before the first fetch to retrieve incidents
     first_fetch_time = params.get('fetch_time', '3 days').strip()
-    min_severity = severity_to_level(params.get('min_severity', 'Informational'))
+    min_severity = params.get('min_severity', 'Informational')
     # Set and define the fetch incidents command to run after activated via integration settings.
     last_run = demisto.getLastRun()
     demisto.debug(f"Current last run is {last_run}")
@@ -1393,14 +1408,13 @@ def fetch_incidents_command(client, params):
     demisto.incidents(incidents)
 
 
-def process_incidents(raw_incidents: list, min_severity: int, latest_created_time: datetime,
+def process_incidents(raw_incidents: list, latest_created_time: datetime,
                       last_incident_number):
     """Processing the raw incidents
     Args:
         raw_incidents: The incidents that were fetched from the API.
         last_incident_number: The last incident number that was fetched.
         latest_created_time: The latest created time.
-        min_severity: The minimum severity.
 
     Returns:
         A next_run dictionary, and an array of incidents.
@@ -1417,23 +1431,20 @@ def process_incidents(raw_incidents: list, min_severity: int, latest_created_tim
 
         incident_created_time = dateparser.parse(incident.get('CreatedTimeUTC'))
         current_fetch_ids.append(incident.get('ID'))
-        if incident_severity >= min_severity:
-            add_mirroring_fields(incident)
-            xsoar_incident = {
-                'name': '[Azure Sentinel] ' + incident.get('Title'),
-                'occurred': incident.get('CreatedTimeUTC'),
-                'severity': incident_severity,
-                'rawJSON': json.dumps(incident)
-            }
-            incidents.append(xsoar_incident)
-        else:
-            demisto.debug(f"drop creation of {incident.get('IncidentNumber')=} "
-                          f"due to the {incident_severity=} is lower then {min_severity=}")
+        add_mirroring_fields(incident)
+        xsoar_incident = {
+            'name': '[Azure Sentinel] ' + incident.get('Title'),
+            'occurred': incident.get('CreatedTimeUTC'),
+            'severity': incident_severity,
+            'rawJSON': json.dumps(incident)
+        }
 
         # Update last run to the latest fetch time
         if incident_created_time is None:
             raise DemistoException(f"{incident.get('CreatedTimeUTC')=} couldn't be parsed")
 
+        incidents.append(xsoar_incident)
+
         if incident_created_time > latest_created_time:
             latest_created_time = incident_created_time
         if incident.get('IncidentNumber') > last_incident_number:
diff --git a/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.yml b/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.yml
@@ -196,6 +196,13 @@ configuration:
   section: Collect
   advanced: true
   required: false
+- defaultvalue: '1'
+  display: Incidents Fetch Interval
+  name: incidentFetchInterval
+  required: false
+  type: 19
+  section: Collect
+  advanced: true
 description: "Microsoft Sentinel is a scalable, cloud-native solution that provides: Security information and event management (SIEM) Security orchestration, automation, and response (SOAR)."
 display: Microsoft Sentinel
 name: Azure Sentinel
diff --git a/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel_test.py b/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel_test.py
@@ -1273,12 +1273,11 @@ def test_process_incidents(self, args, client, expected_result):
         """
         # prepare
         raw_incidents = [MOCKED_RAW_INCIDENT_OUTPUT.get('value')[0]]
-        min_severity = args.get('min_severity')
         last_incident_number = args.get('last_incident_number')
         latest_created_time = dateparser.parse('2020-02-02T14:05:01.5348545Z')
 
         # run
-        next_run, _ = process_incidents(raw_incidents, min_severity, latest_created_time,
+        next_run, _ = process_incidents(raw_incidents, latest_created_time,
                                         last_incident_number)
 
         # validate
@@ -1307,7 +1306,7 @@ def test_last_run_in_fetch_incidents(self, mocker):
         last_run = {'last_fetch_time': '2022-03-16T13:01:08Z',
                     'last_fetch_ids': []}
         first_fetch_time = '3 days'
-        minimum_severity = 0
+        minimum_severity = 'Informational'
 
         mocker.patch('AzureSentinel.process_incidents', return_value=({}, []))
         mocker.patch.object(client, 'http_request', return_value=MOCKED_INCIDENTS_OUTPUT)
@@ -1340,7 +1339,7 @@ def test_last_run_in_fetch_incidents_duplicates(self, mocker):
         last_run = {'last_fetch_time': '2022-03-16T13:01:08Z',
                     'last_fetch_ids': ['inc_name']}
         first_fetch_time = '3 days'
-        minimum_severity = 0
+        minimum_severity = 'Informational'
 
         process_mock = mocker.patch('AzureSentinel.process_incidents', return_value=({}, []))
         mocker.patch.object(client, 'http_request', return_value=MOCKED_INCIDENTS_OUTPUT)
@@ -1351,7 +1350,7 @@ def test_last_run_in_fetch_incidents_duplicates(self, mocker):
         # validate
         assert not process_mock.call_args[0][0]
 
-    @pytest.mark.parametrize('min_severity, expected_incident_num', [(1, 2), (3, 1)])
+    @pytest.mark.parametrize('min_severity, expected_incident_num', [(1, 2), (3, 2)])
     def test_last_fetched_incident_for_various_severity_levels(self, mocker, min_severity, expected_incident_num):
         """
         Given:
@@ -1370,7 +1369,6 @@ def test_last_fetched_incident_for_various_severity_levels(self, mocker, min_sev
 
         # run
         next_run, incidents = process_incidents(raw_incidents=raw_incidents,
-                                                min_severity=min_severity,
                                                 latest_created_time=latest_created_time,
                                                 last_incident_number=1)
 
diff --git a/Packs/AzureSentinel/ReleaseNotes/1_5_60.md b/Packs/AzureSentinel/ReleaseNotes/1_5_60.md
@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Microsoft Sentinel
+
+- Improved implementation for *The minimum severity of incidents to fetch* parameter.
diff --git a/Packs/AzureSentinel/pack_metadata.json b/Packs/AzureSentinel/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Microsoft Sentinel",
     "description": "Microsoft Sentinel is a cloud-native security information and event manager (SIEM) platform that uses built-in AI to help analyze large volumes of data across an enterprise.",
     "support": "xsoar",
-    "currentVersion": "1.5.59",
+    "currentVersion": "1.5.60",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
