From 8dec343e9b53b09df1e1ffa96d078c49d424f27d Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Mon, 24 Jul 2023 17:21:25 -0700
Subject: [PATCH 01/23] Added new fields to the Incidents - ipAddressType and
 apiType

---
 .../Integrations/Traceable/Traceable.py       | 117 ++++++++-
 .../Integrations/Traceable/Traceable.yml      |   4 +-
 .../Integrations/Traceable/Traceable_test.py  | 243 ++++++++++++++++++
 3 files changed, 361 insertions(+), 3 deletions(-)

diff --git a/Packs/Traceable/Integrations/Traceable/Traceable.py b/Packs/Traceable/Integrations/Traceable/Traceable.py
index e291fc43468e..e6ea955d6381 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable.py
@@ -10,6 +10,7 @@
 from concurrent.futures import ThreadPoolExecutor
 import requests
 from requests.adapters import HTTPAdapter, Retry
+import ipaddress
 
 
 # Disable insecure warnings
@@ -196,6 +197,30 @@
 }
 """
 
+api_entities_query = """query entities
+{
+  entities(
+    scope: "API"
+    limit: $limit
+    between: {
+      startTime: "$starttime"
+      endTime: "$endtime"
+    }
+    offset: 0
+    $filter_by_clause
+  ) {
+    results {
+      id
+      name: attribute(expression: { key: "name" })
+      isExternal: attribute(expression: { key: "isExternal" })
+      isAuthenticated: attribute(expression: { key: "isAuthenticated" })
+      riskScore: attribute(expression: { key: "riskScore" })
+      riskScoreCategory: attribute(expression: { key: "riskScoreCategory" })
+    }
+    total
+  }
+}"""
+
 
 class Helper:
     @staticmethod
@@ -207,6 +232,10 @@ def construct_filterby_expression(*clauses):
     def datetime_to_string(d):
         return d.strftime(DATE_FORMAT)
 
+    @staticmethod
+    def string_to_datetime(s):
+        return datetime.strptime(s, DATE_FORMAT)
+
     @staticmethod
     def construct_key_expression(key, value, _type="ATTRIBUTE", operator="IN"):
         if key is None:
@@ -329,7 +358,7 @@ def set_ip_categories_list(self, ipCategoriesList):
                 _ipCategoriesList.append("IP_LOCATION_TYPE_BOT")
             else:
                 error = f"Unknown ipCategory {ipCategory} specified."
-                raise DemistoException(error)
+                raise Exception(error)
         self.ipCategoriesList = _ipCategoriesList
 
     def set_ip_abuse_velocity_list(self, ipAbuseVelocityList):
@@ -479,6 +508,30 @@ def get_threat_events_query(
         )
         return query
 
+    def get_api_endpoint_details_query(self, api_id_list, starttime, endtime):
+        filter_by_clause = Helper.construct_filterby_expression(
+            Helper.construct_key_expression("id", api_id_list)
+        )
+        return Template(api_entities_query).substitute(
+            filter_by_clause=filter_by_clause,
+            limit=self.limit,
+            starttime=Helper.datetime_to_string(starttime),
+            endtime=Helper.datetime_to_string(endtime),
+        )
+
+    def get_api_endpoint_details(self, api_id_list, starttime, endtime):
+        if len(api_id_list) == 0:
+            return []
+        query = self.get_api_endpoint_details_query(api_id_list, starttime, endtime)
+        result = self.graphql_query(query)
+
+        if Helper.is_error(result, "data", "entities", "results"):
+            msg = "Error Object: " + json.dumps(result)
+            demisto.error(msg)
+            raise Exception(msg)
+
+        return result["data"]["entities"]["results"]
+
     def get_threat_events(
         self,
         starttime,
@@ -500,6 +553,7 @@ def get_threat_events(
         events = []
         first = True
         future_list = []
+        api_id_list = []
         with ThreadPoolExecutor(max_workers=self.span_fetch_threadpool) as executor:
             for domain_event in results:
                 if Helper.is_error(domain_event, "traceId", "value"):
@@ -517,6 +571,12 @@ def get_threat_events(
 
                 trace_id = domain_event["traceId"]["value"]
                 span_id = domain_event["spanId"]["value"]
+                if (
+                    domain_event["apiId"] is not None
+                    and domain_event["apiId"]["value"] is not None
+                    and domain_event["apiId"]["value"] != "null"
+                ):
+                    api_id_list.append(domain_event["apiId"]["value"])
 
                 demisto.info("Forking thread for span retrieval")
 
@@ -531,6 +591,14 @@ def get_threat_events(
                 future_list.append((domain_event, future))
                 demisto.info("Completed thread for span retrieval")
 
+        api_endpoint_details = self.get_api_endpoint_details(
+            api_id_list, starttime, endtime
+        )
+        api_endpoint_details_map = {}
+        for api_endpoint_detail in api_endpoint_details:
+            api_endpoint_details_map[api_endpoint_detail["id"]] = api_endpoint_detail
+        api_endpoint_details = None
+
         for domain_event, future in future_list:
             trace_results = future.result()
             domain_event["type"] = "Exploit"
@@ -560,6 +628,53 @@ def get_threat_events(
                 domain_event["severity"] = domain_event["securityScoreCategory"][
                     "value"
                 ]
+            if (
+                domain_event["ipCategories"] is not None
+                and domain_event["ipCategories"]["value"] is not None
+                and len(domain_event["ipCategories"]["value"]) > 1
+                and domain_event["actorIpAddress"] is not None
+                and domain_event["actorIpAddress"]["value"] is not None
+            ):
+                is_private = False
+                for ipCategory in domain_event["ipCategories"]["value"]:
+                    if (
+                        ipCategory == "IP_LOCATION_TYPE_UNSPECIFIED"
+                        and ipaddress.ip_address(
+                            domain_event["actorIpAddress"]["value"]
+                        ).is_private
+                    ):
+                        domain_event["ipAddressType"] = "Internal"
+                        is_private = True
+                if not is_private:
+                    domain_event["ipAddressType"] = "External"
+
+            if (
+                domain_event["apiId"] is not None
+                and domain_event["apiId"]["value"] is not None
+                and domain_event["apiId"]["value"] != "null"
+                and domain_event["apiId"]["value"] in api_endpoint_details_map
+                and api_endpoint_details_map[domain_event["apiId"]["value"]] is not None
+                and api_endpoint_details_map[domain_event["apiId"]["value"]][
+                    "isExternal"
+                ]
+                is not None
+                and api_endpoint_details_map[domain_event["apiId"]["value"]][
+                    "isExternal"
+                ]
+                != "null"
+            ):
+                if api_endpoint_details_map[domain_event["apiId"]["value"]][
+                    "isExternal"
+                ]:
+                    domain_event["apiType"] = "External"
+                else:
+                    domain_event["apiType"] = "Internal"
+
+            if "ipAddressType" not in domain_event:
+                domain_event["ipAddressType"] = "Internal"
+
+            if "apiType" not in domain_event:
+                domain_event["apiType"] = "Unknown"
 
             if Helper.is_error(trace_results, "data", "spans", "results"):
                 msg = "Error Object: " + json.dumps(result) + ". Couldn't get the Span."
diff --git a/Packs/Traceable/Integrations/Traceable/Traceable.yml b/Packs/Traceable/Integrations/Traceable/Traceable.yml
index 2308d8ebce9c..d73de3bfb980 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable.yml
+++ b/Packs/Traceable/Integrations/Traceable/Traceable.yml
@@ -90,8 +90,8 @@ configuration:
   - UNKNOWN
 - display: "IP Location Type"
   name: ipCategories
-  type: 16
   required: false
+  type: 16
   options:
   - Anonymous VPN
   - Hosting Provider
@@ -114,7 +114,7 @@ script:
   script: "-"
   type: python
   subtype: python3
-  dockerimage: demisto/python3:3.10.12.63474
+  dockerimage: demisto/python3:3.10.12.65389
 fromversion: 5.5.0
 tests:
 - No tests (auto formatted)
diff --git a/Packs/Traceable/Integrations/Traceable/Traceable_test.py b/Packs/Traceable/Integrations/Traceable/Traceable_test.py
index 846e03ca8669..4594349eabbb 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable_test.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable_test.py
@@ -58,6 +58,40 @@
   }
 }"""
 
+sample_api_result = """{
+  "data": {
+    "entities": {
+      "results": [
+        {
+          "id": "ea0f77c0-adc2-3a69-89ea-93b1c8341d8f",
+          "name": "POST /cart",
+          "isExternal": true,
+          "isAuthenticated": true,
+          "riskScore": 2,
+          "riskScoreCategory": "LOW"
+        },
+        {
+          "id": "067bb0d7-3740-3ba6-89eb-c457491fbc53",
+          "name": "POST /get_user",
+          "isExternal": true,
+          "isAuthenticated": true,
+          "riskScore": 3,
+          "riskScoreCategory": "MEDIUM"
+        },
+        {
+          "id": "be344182-c100-3287-874a-cb47eac709f2",
+          "name": "POST /cart",
+          "isExternal": false,
+          "isAuthenticated": true,
+          "riskScore": 2,
+          "riskScoreCategory": "LOW"
+        }
+      ],
+      "total": 3
+    }
+  }
+}"""
+
 empty_domain_event = """{
   "data": {
     "explore": {
@@ -66,6 +100,113 @@
   }
 }"""
 
+sample_domain_event_empty_api = """{
+  "data": {
+    "explore": {
+      "results": [
+        {
+          "threatCategory": {
+            "value": "null"
+          },
+          "id": {
+            "value": "9dd9261a-23db-472e-9d2a-a4c3227d6502"
+          },
+          "name": {
+            "value": "XSS Filter - Category 1: Script Tag Vector"
+          },
+          "type": {
+            "value": "Cross Site Scripting (XSS)"
+          },
+          "environment": {
+            "value": "Fintech_app"
+          },
+          "serviceName": {
+            "value": "frontend"
+          },
+          "apiName": {
+            "value": "POST /get_user"
+          },
+          "apiId": {
+            "value": "null"
+          },
+          "serviceId": {
+            "value": "3d67aadf-4605-385d-bd3a-b297789046fd"
+          },
+          "threatActorScore": {
+            "value": -2147483648
+          },
+          "anomalousAttribute": {
+            "value": "default.password"
+          },
+          "eventDescription": {
+            "value": "Matched Data: <script alert(1) /> found within ARGS:password: ${<script alert(1) />}"
+          },
+          "actorId": {
+            "value": "xxx@outlook.zz"
+          },
+          "actorCountry": {
+            "value": "United States"
+          },
+          "actorIpAddress": {
+            "value": "8.8.8.8"
+          },
+          "actorDevice": {
+            "value": "null"
+          },
+          "apiUri": {
+            "value": "http://localhost:1111/get_user?forwardUrl=http%3A%2F%2Fdummyjon.com"
+          },
+          "traceId": {
+            "value": "a1f93e44b31be69835cfeeac4f181869"
+          },
+          "statusCode": {
+            "value": "200"
+          },
+          "actorEntityId": {
+            "value": "null"
+          },
+          "actorScoreCategory": {
+            "value": "null"
+          },
+          "securityScoreCategory": {
+            "value": "LOW"
+          },
+          "securityScore": {
+            "value": 0
+          },
+          "category": {
+            "value": "SECURITY"
+          },
+          "securityEventType": {
+            "value": "MODSEC"
+          },
+          "ipCategories": {
+            "value": [
+              "IP_LOCATION_TYPE_PUBLIC_PROXY",
+              "IP_LOCATION_TYPE_BOT"
+            ]
+          },
+          "ipReputationLevel": {
+            "value": "CRITICAL"
+          },
+          "ipAbuseVelocity": {
+            "value": "HIGH"
+          },
+          "spanId": {
+            "value": "f7dded93dc8b49c7"
+          },
+          "actorSession": {
+            "value": "00b79cf7-f47a-7903-2b72-f6c3c65ae04e"
+          },
+          "timestamp": {
+            "value": 1687388516786
+          }
+        }
+      ]
+    }
+  }
+}"""
+
 sample_domain_event = """{
   "data": {
     "explore": {
@@ -192,6 +333,8 @@ def empty_response_handler(*args, **kwargs):
     elif "spans(" in data:
         r.text = sample_span_result
         return r
+    elif "entities(" in data:
+        r.text = sample_api_result
     return None
 
 
@@ -205,12 +348,32 @@ def response_handler(*args, **kwargs):
     elif "spans(" in data:
         r.text = sample_span_result
         return r
+    elif "entities(" in data:
+        r.text = sample_api_result
+        return r
+    return None
+
+
+def empty_api_response_handler(*args, **kwargs):
+    data: str = kwargs["json"]["query"]
+
+    r = Response()
+    if "DOMAIN_EVENT" in data:
+        r.text = sample_domain_event_empty_api
+        return r
+    elif "spans(" in data:
+        r.text = sample_span_result
+        return r
+    elif "entities(" in data:
+        r.text = sample_api_result
+        return r
     return None
 
 
 def test_fetch_incidents_last_fetch_none(mocker):
     from Traceable import Client, fetch_incidents
     import urllib3
+    import json
 
     urllib3.disable_warnings()
     headers = {}
@@ -229,6 +392,34 @@ def test_fetch_incidents_last_fetch_none(mocker):
 
     next_run, incidents = fetch_incidents(client, {"last_fetch": None}, "3 days")
     assert len(incidents) == 1
+    rawJSON = json.loads(incidents[0]["rawJSON"])
+    assert rawJSON["ipAddressType"] == "External"
+
+
+def test_fetch_incidents_no_linked_api(mocker):
+    from Traceable import Client, fetch_incidents
+    import urllib3
+    import json
+
+    urllib3.disable_warnings()
+    headers = {}
+    headers["Content-Type"] = "application/json"
+    headers["Accept"] = "application/json"
+
+    client = Client(base_url="https://mock.url", verify=False, headers=headers)
+    client.set_security_score_category_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    # client.set_threat_category_list(threatCategoryList)
+    client.set_ip_reputation_level_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_ip_abuse_velocity_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_limit(100)
+
+    mocked_post = mocker.patch("requests.post")
+    mocked_post.side_effect = empty_api_response_handler
+
+    next_run, incidents = fetch_incidents(client, {"last_fetch": None}, "3 days")
+    assert len(incidents) == 1
+    rawJSON = json.loads(incidents[0]["rawJSON"])
+    assert rawJSON["apiType"] == "Unknown"
 
 
 def test_fetch_incidents_last_fetch_not_none(mocker):
@@ -601,3 +792,55 @@ def test_graphql_query_non_200(mocker, caplog, capfd):
     assert encountered_exception
     caplog.clear()
     capfd.readouterr()
+
+
+def test_get_api_endpoint_details_query():
+    from Traceable import Client, Helper
+
+    client = Client("https://mock.url")
+    client.set_limit(100)
+
+    query = client.get_api_endpoint_details_query(
+        [
+            "067bb0d7-3740-3ba6-89eb-c457491fbc53",
+            "ea0f77c0-adc2-3a69-89ea-93b1c8341d8f",
+            "be344182-c100-3287-874a-cb47eac709f2",
+        ],
+        Helper.string_to_datetime("2023-07-23T09:07:59Z"),
+        Helper.string_to_datetime("2023-07-24T09:07:59Z"),
+    )
+    expected_query = (
+        'query entities\n{\n  entities(\n    scope: "API"\n    limit: 100\n    between: '
+        + '{\n      startTime: "2023-07-23T09:07:59Z"\n      endTime: "2023-07-24T09:07:59Z"\n    }\n    of'
+        + 'fset: 0\n    filterBy: [{keyExpression: {key: "id"}, operator: IN, value: ["067bb0d7-3740-3ba6-8'
+        + '9eb-c457491fbc53","ea0f77c0-adc2-3a69-89ea-93b1c8341d8f","be344182-c100-3287-874a-cb47eac709f2"]'
+        + ', type: ATTRIBUTE}]\n  ) {\n    results {\n      id\n      name: attribute(expression: { key: "n'
+        + 'ame" })\n      isExternal: attribute(expression: { key: "isExternal" })\n      isAuthenticated: '
+        + 'attribute(expression: { key: "isAuthenticated" })\n      riskScore: attribute(expression: { key:'
+        + ' "riskScore" })\n      riskScoreCategory: attribute(expression: { key: "riskScoreCategory" })\n '
+        + "   }\n    total\n  }\n}"
+    )
+
+    assert query == expected_query
+
+
+def test_get_api_endpoint_details(mocker):
+    from Traceable import Client, Helper
+
+    resp = Response()
+    resp.text = sample_api_result
+    resp.status_code = 200
+    client = Client("https://mock.url")
+    client.set_limit(100)
+    mocked_post = mocker.patch("requests.post")
+    mocked_post.return_value = resp
+    result = client.get_api_endpoint_details(
+        [
+            "067bb0d7-3740-3ba6-89eb-c457491fbc53",
+            "ea0f77c0-adc2-3a69-89ea-93b1c8341d8f",
+            "be344182-c100-3287-874a-cb47eac709f2",
+        ],
+        Helper.string_to_datetime("2023-07-23T09:07:59Z"),
+        Helper.string_to_datetime("2023-07-24T09:07:59Z"),
+    )
+    assert len(result) == 3

From 9b64c530ca24cdf6308111c97e3a259e3f8c1710 Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Fri, 18 Aug 2023 03:47:09 -0700
Subject: [PATCH 02/23] - Adding Event url in the incident - Adding ignore
 status codes - Field to mark the affected api internal or external - field to
 mark the actor ip address internal or external

---
 .../Integrations/Traceable/Traceable.py       | 109 ++++++--
 .../Integrations/Traceable/Traceable.yml      |  32 ++-
 .../Integrations/Traceable/Traceable_test.py  | 255 +++++++++++++++++-
 Packs/Traceable/ReleaseNotes/1_0_3.md         |   8 +
 Packs/Traceable/pack_metadata.json            |   2 +-
 5 files changed, 377 insertions(+), 29 deletions(-)
 create mode 100644 Packs/Traceable/ReleaseNotes/1_0_3.md

diff --git a/Packs/Traceable/Integrations/Traceable/Traceable.py b/Packs/Traceable/Integrations/Traceable/Traceable.py
index e6ea955d6381..dac86ea8d2bc 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable.py
@@ -5,6 +5,7 @@
 """ IMPORTS """
 
 import urllib3
+from urllib import parse
 from string import Template
 from datetime import datetime, timezone
 from concurrent.futures import ThreadPoolExecutor
@@ -329,12 +330,17 @@ def __init__(
         self.limit = None
         self.proxy = proxy
         self.span_fetch_threadpool = 10
+        self.app_url = ""
+        self.ignore_status_code_tuples = []
         self.environments = None
         super().__init__(base_url, verify, proxy, ok_codes, headers, auth, timeout)
 
     def set_security_score_category_list(self, securityScoreCategoryList):
         self.securityScoreCategoryList = securityScoreCategoryList
 
+    def set_app_url(self, app_url):
+        self.app_url = app_url
+
     def set_threat_category_list(self, threatCategoryList):
         self.threatCategoryList = threatCategoryList
 
@@ -379,6 +385,47 @@ def set_limit(self, limit):
     def set_environments(self, environments):
         self.environments = environments
 
+    def __parse_status_code_strings(self, status_code_list_string: str):
+        if status_code_list_string is None:
+            return []
+        _status_code_list_string = status_code_list_string.rstrip().lstrip()
+        if _status_code_list_string == "":
+            return []
+        range_tuple_list = []
+        ranges = status_code_list_string.split(",")
+        for range in ranges:
+            bounds = range.split("-")
+            lower = -1
+            upper = -1
+            bounds_len = len(bounds)
+            if bounds_len > 2:
+                demisto.log(f"Invalid status code range {range}. Ignoring.")
+                continue
+            if bounds_len > 0:
+                try:
+                    lower = int(bounds[0].lstrip().rstrip())
+                    upper = lower
+                except ValueError as e:
+                    demisto.log(f"Couldn't parse bounds for status code range {range}. Exception {e}. Ignoring Range.")
+                    continue
+            if bounds_len > 1:
+                try:
+                    upper = int(bounds[1].lstrip().rstrip())
+                except ValueError as e:
+                    demisto.log(f"Couldn't parse bounds for status code range {range}. Exception {e}. Ignoring Range.")
+                    continue
+            if lower < 100 or lower > 599 or upper < 100 or upper > 599 or lower > upper:
+                demisto.log(f"Invalid status code range {range}. Ignoring.")
+                continue
+            range_tuple_list.append((lower, upper))
+        return range_tuple_list
+
+    def is_ignored_status_code(self, status_code: int):
+        return any(status_code in range(lower, upper + 1) for lower, upper in self.ignore_status_code_tuples)
+
+    def set_ignore_status_codes(self, status_code_list_string):
+        self.ignore_status_code_tuples = self.__parse_status_code_strings(status_code_list_string)
+
     def graphql_query(self, query, params={}, verify=False):
         demisto.debug("Entered from graphql_query")
         demisto.debug("Running request...")
@@ -538,17 +585,17 @@ def get_threat_events(
         endtime=datetime.now(),
     ):
         query = self.get_threat_events_query(starttime, endtime)
-        demisto.debug("Query is: " + query)
+        demisto.debug(f"Query is: {query}")
         result = self.graphql_query(query)
         if Helper.is_error(result, "data", "explore", "results"):
-            msg = "Error Object: " + json.dumps(result)
+            msg = f"Error Object: {json.dumps(result)}"
             demisto.error(msg)
             raise Exception(msg)
 
         results = result["data"]["explore"]["results"]
 
-        demisto.info("Retrieved: " + str(len(results)) + " Domain Events")
-        demisto.debug("Result is:" + json.dumps(results, indent=2))
+        demisto.info(f"Retrieved: {len(results)} Domain Events")
+        demisto.debug(f"Result is:{json.dumps(results, indent=2)}")
 
         events = []
         first = True
@@ -558,17 +605,21 @@ def get_threat_events(
             for domain_event in results:
                 if Helper.is_error(domain_event, "traceId", "value"):
                     demisto.info(
-                        "Couldn't find traceId in Domain Event: "
-                        + json.dumps(domain_event, indent=2)
+                        f"Couldn't find traceId in Domain Event: {json.dumps(domain_event, indent=2)}"
                     )
                     continue
+
                 if Helper.is_error(domain_event, "spanId", "value"):
                     demisto.info(
-                        "Couldn't find spanId in Domain Event: "
-                        + json.dumps(domain_event, indent=2)
+                        f"Couldn't find spanId in Domain Event: {json.dumps(domain_event, indent=2)}"
                     )
                     continue
 
+                if ("statusCode" in domain_event and "value" in domain_event["statusCode"]):
+                    status_code = domain_event["statusCode"]["value"]
+                    if (self.is_ignored_status_code(status_code)):
+                        continue
+
                 trace_id = domain_event["traceId"]["value"]
                 span_id = domain_event["spanId"]["value"]
                 if (
@@ -594,9 +645,10 @@ def get_threat_events(
         api_endpoint_details = self.get_api_endpoint_details(
             api_id_list, starttime, endtime
         )
-        api_endpoint_details_map = {}
-        for api_endpoint_detail in api_endpoint_details:
-            api_endpoint_details_map[api_endpoint_detail["id"]] = api_endpoint_detail
+        api_endpoint_details_map = {
+            api_endpoint_detail["id"]: api_endpoint_detail
+            for api_endpoint_detail in api_endpoint_details
+        }
         api_endpoint_details = None
 
         for domain_event, future in future_list:
@@ -649,7 +701,8 @@ def get_threat_events(
                     domain_event["ipAddressType"] = "External"
 
             if (
-                domain_event["apiId"] is not None
+                "apiId" in domain_event
+                and "value" in domain_event["apiId"]
                 and domain_event["apiId"]["value"] is not None
                 and domain_event["apiId"]["value"] != "null"
                 and domain_event["apiId"]["value"] in api_endpoint_details_map
@@ -676,18 +729,30 @@ def get_threat_events(
             if "apiType" not in domain_event:
                 domain_event["apiType"] = "Unknown"
 
+            if ("id" in domain_event and "value" in domain_event["id"] and self.app_url != ""
+                    and "environment" in domain_event and "value" in domain_event["environment"]):
+                domain_event["eventUrl"] = (
+                    f"{self.app_url}/security-event/"
+                    + domain_event["id"]["value"]
+                    + "?time=90d&env="
+                    + parse.quote(domain_event["environment"]["value"])
+                )
+
+            else:
+                domain_event["eventUrl"] = None
+
             if Helper.is_error(trace_results, "data", "spans", "results"):
-                msg = "Error Object: " + json.dumps(result) + ". Couldn't get the Span."
+                msg = f"Error Object: {json.dumps(result)}. Couldn't get the Span."
                 demisto.info(msg)
             else:
-                demisto.info("Found Span with id: " + span_id + ". Adding to Event.")
+                demisto.info(f"Found Span with id: {span_id}. Adding to Event.")
                 domain_event["spans"] = trace_results["data"]["spans"]["results"]
                 events.append(domain_event)
                 if first:
                     first = False
-                    demisto.info("Domain Event: " + json.dumps(domain_event, indent=3))
+                    demisto.info(f"Domain Event: {json.dumps(domain_event, indent=3)}")
                 demisto.debug(
-                    "Complete Domain Event is: " + json.dumps(domain_event, indent=2)
+                    f"Complete Domain Event is: {json.dumps(domain_event, indent=2)}"
                 )
 
         return events
@@ -746,9 +811,11 @@ def fetch_incidents(client: Client, last_run, first_fetch_time):
         incident = {
             "name": item["name"],
             "displayname": item["displayname"],
+            "eventUrl": item["eventUrl"],
             "country": item["country"],
             "sourceip": item["sourceip"],
             "riskscore": item["riskscore"],
+            "ipAddressType": item["ipAddressType"],
             "severity": XSOAR_SEVERITY_BY_TRACEABLE_SEVERITY.get(
                 item["severity"], IncidentSeverity.UNKNOWN
             ),
@@ -783,7 +850,6 @@ def main() -> None:
 
     demisto.debug(f"Command being called is {demisto.command()}")
     try:
-        headers: dict = {}
         first_fetch_time = demisto.params().get("first_fetch", "3 days").strip()
         securityScoreCategoryList = demisto.params().get("securityScoreCategory")
         threatCategoryList = demisto.params().get("threatCategory")
@@ -791,7 +857,9 @@ def main() -> None:
         ipAbuseVelocityList = demisto.params().get("ipAbuseVelocity")
         limit = int(demisto.params().get("max_fetch", 100))
         span_fetch_threadpool = int(demisto.params().get("span_fetch_threadpool", 10))
+        app_url = demisto.params().get("app_url", "https://app.traceable.ai")
         ipCategoriesList = demisto.params().get("ipCategories")
+        ignoreStatusCodes = demisto.params().get("ignoreStatusCodes", "400-499")
 
         _env = demisto.params().get("environment")
 
@@ -800,9 +868,7 @@ def main() -> None:
             environments = argToList(_env)
 
         apikey = demisto.params().get("credentials", {}).get("password")
-        headers["Authorization"] = apikey
-        headers["Content-Type"] = "application/json"
-
+        headers: dict = {"Authorization": apikey, "Content-Type": "application/json"}
         client = Client(
             base_url, verify=verify_certificate, headers=headers, proxy=proxy
         )
@@ -814,6 +880,8 @@ def main() -> None:
         client.set_environments(environments)
         client.set_span_fetch_threadpool(span_fetch_threadpool)
         client.set_ip_categories_list(ipCategoriesList)
+        client.set_app_url(app_url)
+        client.set_ignore_status_codes(ignoreStatusCodes)
         client.set_limit(limit)
 
         if demisto.command() == "test-module":
@@ -831,7 +899,6 @@ def main() -> None:
             demisto.setLastRun(next_run)
             demisto.incidents(incidents)
 
-    # Log exceptions and return errors
     except Exception as e:
         return_error(
             f"Failed to execute {demisto.command()} command.\nError:\n{str(e)}"
diff --git a/Packs/Traceable/Integrations/Traceable/Traceable.yml b/Packs/Traceable/Integrations/Traceable/Traceable.yml
index d73de3bfb980..694ffe73c7c8 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable.yml
+++ b/Packs/Traceable/Integrations/Traceable/Traceable.yml
@@ -3,7 +3,7 @@ commonfields:
   id: Traceable
   version: -1
 configuration:
-- display: Traceable Platform URL
+- display: Traceable Platform API Endpoint URL
   name: url
   defaultvalue: https://api.traceable.ai
   type: 0
@@ -90,8 +90,8 @@ configuration:
   - UNKNOWN
 - display: "IP Location Type"
   name: ipCategories
-  required: false
   type: 16
+  required: false
   options:
   - Anonymous VPN
   - Hosting Provider
@@ -99,11 +99,37 @@ configuration:
   - TOR Exit Node
   - BOT
   - Unknown
+- display: "IP Address Type"
+  defaultvalue: External
+  name: ipAddressType
+  required: false
+  type: 16
+  options:
+  - Internal
+  - External
+- display: "API Type"
+  name: apiType
+  required: false
+  defaultvalue: External
+  type: 16
+  options:
+  - Internal
+  - External
+- display: Traceable Platform Endpoint URL
+  name: app_url
+  defaultvalue: https://app.traceable.ai
+  type: 0
+  required: false
 - display: Incident type
   defaultvalue: Exploit
   name: incidentType
   required: false
   type: 13
+- display: Ignore Status Codes
+  name: ignoreStatusCodes
+  defaultvalue: 400-499
+  type: 0
+  required: false
 description: "Traceable Platform Integration enables publishing Traceable Detected Security Events to be published to Cortex Xsoar for further action."
 display: "Traceable"
 name: Traceable
@@ -114,7 +140,7 @@ script:
   script: "-"
   type: python
   subtype: python3
-  dockerimage: demisto/python3:3.10.12.65389
+  dockerimage: demisto/python3:3.10.12.68714
 fromversion: 5.5.0
 tests:
 - No tests (auto formatted)
diff --git a/Packs/Traceable/Integrations/Traceable/Traceable_test.py b/Packs/Traceable/Integrations/Traceable/Traceable_test.py
index 4594349eabbb..05d2265d3132 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable_test.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable_test.py
@@ -315,6 +315,113 @@
 }"""
 
 
+sample_domain_event_with_private_ip = """{
+  "data": {
+    "explore": {
+      "results": [
+        {
+          "threatCategory": {
+            "value": "null"
+          },
+          "id": {
+            "value": "9dd9261a-23db-472e-9d2a-a4c3227d6502"
+          },
+          "name": {
+            "value": "XSS Filter - Category 1: Script Tag Vector"
+          },
+          "type": {
+            "value": "Cross Site Scripting (XSS)"
+          },
+          "environment": {
+            "value": "Fintech_app"
+          },
+          "serviceName": {
+            "value": "frontend"
+          },
+          "apiName": {
+            "value": "POST /get_user"
+          },
+          "apiId": {
+            "value": "067bb0d7-3740-3ba6-89eb-c457491fbc53"
+          },
+          "serviceId": {
+            "value": "3d67aadf-4605-385d-bd3a-b297789046fd"
+          },
+          "threatActorScore": {
+            "value": -2147483648
+          },
+          "anomalousAttribute": {
+            "value": "default.password"
+          },
+          "eventDescription": {
+            "value": "Matched Data: <script alert(1) /> found within ARGS:password: ${<script alert(1) />}"
+          },
+          "actorId": {
+            "value": "xxx@outlook.zz"
+          },
+          "actorCountry": {
+            "value": "United States"
+          },
+          "actorIpAddress": {
+            "value": "192.168.11.20"
+          },
+          "actorDevice": {
+            "value": "null"
+          },
+          "apiUri": {
+            "value": "http://localhost:1111/get_user?forwardUrl=http%3A%2F%2Fdummyjon.com"
+          },
+          "traceId": {
+            "value": "a1f93e44b31be69835cfeeac4f181869"
+          },
+          "statusCode": {
+            "value": "200"
+          },
+          "actorEntityId": {
+            "value": "null"
+          },
+          "actorScoreCategory": {
+            "value": "null"
+          },
+          "securityScoreCategory": {
+            "value": "LOW"
+          },
+          "securityScore": {
+            "value": 0
+          },
+          "category": {
+            "value": "SECURITY"
+          },
+          "securityEventType": {
+            "value": "MODSEC"
+          },
+          "ipCategories": {
+            "value": [
+              "IP_LOCATION_TYPE_UNSPECIFIED"
+            ]
+          },
+          "ipReputationLevel": {
+            "value": "CRITICAL"
+          },
+          "ipAbuseVelocity": {
+            "value": "HIGH"
+          },
+          "spanId": {
+            "value": "f7dded93dc8b49c7"
+          },
+          "actorSession": {
+            "value": "00b79cf7-f47a-7903-2b72-f6c3c65ae04e"
+          },
+          "timestamp": {
+            "value": 1687388516786
+          }
+        }
+      ]
+    }
+  }
+}"""
+
+
 class Response:
     def __init__(self) -> None:
         pass
@@ -354,6 +461,22 @@ def response_handler(*args, **kwargs):
     return None
 
 
+def response_handler_private_ip(*args, **kwargs):
+    data: str = kwargs["json"]["query"]
+
+    r = Response()
+    if "DOMAIN_EVENT" in data:
+        r.text = sample_domain_event_with_private_ip
+        return r
+    elif "spans(" in data:
+        r.text = sample_span_result
+        return r
+    elif "entities(" in data:
+        r.text = sample_api_result
+        return r
+    return None
+
+
 def empty_api_response_handler(*args, **kwargs):
     data: str = kwargs["json"]["query"]
 
@@ -373,7 +496,6 @@ def empty_api_response_handler(*args, **kwargs):
 def test_fetch_incidents_last_fetch_none(mocker):
     from Traceable import Client, fetch_incidents
     import urllib3
-    import json
 
     urllib3.disable_warnings()
     headers = {}
@@ -382,9 +504,9 @@ def test_fetch_incidents_last_fetch_none(mocker):
 
     client = Client(base_url="https://mock.url", verify=False, headers=headers)
     client.set_security_score_category_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
-    # client.set_threat_category_list(threatCategoryList)
     client.set_ip_reputation_level_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
     client.set_ip_abuse_velocity_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_app_url("https://app.mock.url")
     client.set_limit(100)
 
     mocked_post = mocker.patch("requests.post")
@@ -392,8 +514,8 @@ def test_fetch_incidents_last_fetch_none(mocker):
 
     next_run, incidents = fetch_incidents(client, {"last_fetch": None}, "3 days")
     assert len(incidents) == 1
-    rawJSON = json.loads(incidents[0]["rawJSON"])
-    assert rawJSON["ipAddressType"] == "External"
+    assert incidents[0]["ipAddressType"] == "External"
+    assert incidents[0]["eventUrl"] == "https://app.mock.url/security-event/9dd9261a-23db-472e-9d2a-a4c3227d6502?time=90d&env=Fintech_app"
 
 
 def test_fetch_incidents_no_linked_api(mocker):
@@ -844,3 +966,128 @@ def test_get_api_endpoint_details(mocker):
         Helper.string_to_datetime("2023-07-24T09:07:59Z"),
     )
     assert len(result) == 3
+
+
+def test_url_encode(capfd):
+    from urllib import parse
+    s = "Fintech App"
+    r = parse.quote(s)
+    assert r == "Fintech%20App"
+
+
+def test_check_private_ip():
+    from ipaddress import ip_address
+    is_private = ip_address("192.168.11.20").is_private
+    assert is_private
+
+    is_private = ip_address("17.5.7.3").is_private
+    assert not is_private
+
+
+def test_fetch_incident_with_private_ipaddress(mocker):
+    from Traceable import Client, fetch_incidents
+    import urllib3
+
+    urllib3.disable_warnings()
+    headers = {"Content-Type": "application/json", "Accept": "application/json"}
+    client = Client(base_url="https://mock.url", verify=False, headers=headers)
+    client.set_security_score_category_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_ip_reputation_level_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_ip_abuse_velocity_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_app_url("https://app.mock.url")
+    client.set_limit(100)
+
+    mocked_post = mocker.patch("requests.post")
+    mocked_post.side_effect = response_handler_private_ip
+
+    next_run, incidents = fetch_incidents(client, {"last_fetch": None}, "3 days")
+    assert len(incidents) == 1
+    assert incidents[0]["ipAddressType"] == "Internal"
+    assert incidents[0]["eventUrl"] == "https://app.mock.url/security-event/9dd9261a-23db-472e-9d2a-a4c3227d6502?time=90d&env=Fintech_app"
+
+
+def test_ignore_ranges_parsing():
+    from Traceable import Client
+    headers = {"Content-Type": "application/json", "Accept": "application/json"}
+    client = Client(base_url="https://mock.url", verify=False, headers=headers)
+    client.set_ignore_status_codes("    400    -    499   ")
+    assert len(client.ignore_status_code_tuples) == 1
+    lower, upper = client.ignore_status_code_tuples[0]
+    assert lower == 400
+    assert upper == 499
+
+    client.set_ignore_status_codes("400-499")
+    assert len(client.ignore_status_code_tuples) == 1
+    lower, upper = client.ignore_status_code_tuples[0]
+    assert lower == 400
+    assert upper == 499
+
+    client.set_ignore_status_codes("  500  ")
+    assert len(client.ignore_status_code_tuples) == 1
+    lower, upper = client.ignore_status_code_tuples[0]
+    assert lower == 500
+    assert upper == 500
+
+    client.set_ignore_status_codes("500")
+    assert len(client.ignore_status_code_tuples) == 1
+    lower, upper = client.ignore_status_code_tuples[0]
+    assert lower == 500
+    assert upper == 500
+
+    client.set_ignore_status_codes("400-499, 500")
+    assert len(client.ignore_status_code_tuples) == 2
+    lower, upper = client.ignore_status_code_tuples[0]
+    assert lower == 400
+    assert upper == 499
+    lower, upper = client.ignore_status_code_tuples[1]
+    assert lower == 500
+    assert upper == 500
+
+    client.set_ignore_status_codes("  400    -  499  ,  500")
+    assert len(client.ignore_status_code_tuples) == 2
+    lower, upper = client.ignore_status_code_tuples[0]
+    assert lower == 400
+    assert upper == 499
+    lower, upper = client.ignore_status_code_tuples[1]
+    assert lower == 500
+    assert upper == 500
+
+    client.set_ignore_status_codes("  400    -  499 -- ,  500")
+    assert len(client.ignore_status_code_tuples) == 1
+    lower, upper = client.ignore_status_code_tuples[0]
+    assert lower == 500
+    assert upper == 500
+
+    client.set_ignore_status_codes("  400    -   ,  500  ")
+    assert len(client.ignore_status_code_tuples) == 1
+    lower, upper = client.ignore_status_code_tuples[0]
+    assert lower == 500
+    assert upper == 500
+
+    client.set_ignore_status_codes("  400      ,  500  ")
+    assert len(client.ignore_status_code_tuples) == 2
+    lower, upper = client.ignore_status_code_tuples[0]
+    assert lower == 400
+    assert upper == 400
+    lower, upper = client.ignore_status_code_tuples[1]
+    assert lower == 500
+    assert upper == 500
+
+    client.set_ignore_status_codes("  2,600, 700-800, a-b, 3-g , r-4 , 300-400-500     ,  500  ")
+    assert len(client.ignore_status_code_tuples) == 1
+    lower, upper = client.ignore_status_code_tuples[0]
+    assert lower == 500
+    assert upper == 500
+
+
+def test_is_ignored_range():
+    from Traceable import Client
+    headers = {"Content-Type": "application/json", "Accept": "application/json"}
+    client = Client(base_url="https://mock.url", verify=False, headers=headers)
+    client.set_ignore_status_codes("1,300,400-499")
+    assert not client.is_ignored_status_code(1)
+    assert client.is_ignored_status_code(300)
+    assert client.is_ignored_status_code(400)
+    assert client.is_ignored_status_code(450)
+    assert client.is_ignored_status_code(499)
+    assert not client.is_ignored_status_code(500)
diff --git a/Packs/Traceable/ReleaseNotes/1_0_3.md b/Packs/Traceable/ReleaseNotes/1_0_3.md
new file mode 100644
index 000000000000..a4ac784b23d1
--- /dev/null
+++ b/Packs/Traceable/ReleaseNotes/1_0_3.md
@@ -0,0 +1,8 @@
+
+#### Integrations
+
+##### Traceable
+
+- %%UPDATE_RN%%
+- Updated the Docker image to: *demisto/python3:3.10.12.68714*.
+
diff --git a/Packs/Traceable/pack_metadata.json b/Packs/Traceable/pack_metadata.json
index d2e7231609b5..0842a95c54c3 100644
--- a/Packs/Traceable/pack_metadata.json
+++ b/Packs/Traceable/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Traceable",
     "description": "Traceable AI API Security Platform Integration",
     "support": "partner",
-    "currentVersion": "1.0.2",
+    "currentVersion": "1.0.3",
     "author": "Traceable Inc",
     "url": "mailto:support@traceable.ai",
     "email": "",

From 2642f50292eaa91ff6a295c4daaa161177568d4d Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Mon, 21 Aug 2023 00:50:09 -0700
Subject: [PATCH 03/23] - Status code filtering - Incident Field Selection -
 Unit Tests

---
 .../Integrations/Traceable/Traceable.py       | 240 +++++++------
 .../Integrations/Traceable/Traceable.yml      |  35 ++
 .../Integrations/Traceable/Traceable_test.py  | 327 +++++++++++++++---
 3 files changed, 450 insertions(+), 152 deletions(-)

diff --git a/Packs/Traceable/Integrations/Traceable/Traceable.py b/Packs/Traceable/Integrations/Traceable/Traceable.py
index dac86ea8d2bc..3a5e61c3fdfc 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable.py
@@ -57,101 +57,7 @@
     ]
   ) {
     results {
-      threatCategory: selection(expression: {key: "threatCategory"}) {
-        value
-      }
-      id: selection(expression: { key: "id" }) {
-        value
-      }
-      name: selection(expression: { key: "name" }) {
-        value
-      }
-      type: selection(expression: { key: "type" }) {
-        value
-      }
-      environment: selection(expression: { key: "environment" }) {
-        value
-      }
-      serviceName: selection(expression: { key: "serviceName" }) {
-        value
-      }
-      apiName: selection(expression: { key: "apiName" }) {
-        value
-      }
-      apiId: selection(expression: { key: "apiId"}) {
-        value
-      }
-      serviceId: selection(expression: { key: "serviceId" }) {
-        value
-      }
-      threatActorScore: selection(expression: { key: "actorScore" }) {
-        value
-      }
-      anomalousAttribute: selection(expression: { key: "anomalousAttribute" }) {
-        value
-      }
-      eventDescription: selection(expression: { key: "eventDescription" }) {
-        value
-      }
-      actorId: selection(expression: { key: "actorId" }) {
-        value
-      }
-      actorCountry: selection(expression: { key: "actorCountry" }) {
-        value
-      }
-      actorIpAddress: selection(expression: { key: "actorIpAddress" }) {
-        value
-      }
-      actorDevice: selection(expression: { key: "actorDevice" }) {
-        value
-      }
-      apiUri: selection(expression: { key: "apiUri" }) {
-        value
-      }
-      traceId: selection(expression: { key: "traceId" }) {
-        value
-      }
-      statusCode: selection(expression: { key: "statusCode" }) {
-        value
-      }
-      actorEntityId: selection(expression: { key: "actorEntityId" }) {
-        value
-      }
-      actorScoreCategory: selection(expression: { key: "actorScoreCategory" }) {
-        value
-      }
-      securityScoreCategory: selection(
-        expression: { key: "securityScoreCategory" }
-      ) {
-        value
-      }
-      securityScore: selection(expression: { key: "securityScore" }) {
-        value
-      }
-      category: selection(expression: { key: "category" }) {
-        value
-      }
-      securityEventType: selection(expression: { key: "securityEventType" }) {
-        value
-      }
-      ipCategories: selection(expression: { key: "ipCategories" }) {
-        value
-      }
-      ipReputationLevel: selection(expression: { key: "ipReputationLevel" }) {
-        value
-      }
-      ipAbuseVelocity: selection(expression: { key: "ipAbuseVelocity" }) {
-        value
-      }
-      spanId: selection(expression: { key: "spanId" }) {
-        value
-      }
-      actorSession: selection(expression: { key: "actorSession" }) {
-        value
-      }
-      timestamp: selection(expression: { key: "timestamp" }) {
-        value
-      }
+        $field_list
     }
   }
 }
@@ -212,11 +118,11 @@
   ) {
     results {
       id
-      name: attribute(expression: { key: "name" })
       isExternal: attribute(expression: { key: "isExternal" })
       isAuthenticated: attribute(expression: { key: "isAuthenticated" })
       riskScore: attribute(expression: { key: "riskScore" })
       riskScoreCategory: attribute(expression: { key: "riskScoreCategory" })
+      isLearnt: attribute(expression: { key: "isLearnt" })
     }
     total
   }
@@ -229,6 +135,24 @@ def construct_filterby_expression(*clauses):
         non_null_list = [i for i in clauses if i is not None]
         return "filterBy: [" + ",".join(non_null_list) + "]"
 
+    @staticmethod
+    def construct_field_selection_expression(field_list):
+        non_null_field_list = [i for i in field_list if i is not None and i != ""]
+        expression_list = ""
+        for field in non_null_field_list:
+            expression = f"{field}: selection(expression: {{key: \"{field}\"}}) {{ value }}"
+            expression_list = expression_list + expression + "\n"
+        return expression_list
+
+    @staticmethod
+    def construct_field_attribute_expression(field_list):
+        non_null_field_list = [i for i in field_list if i is not None and i != ""]
+        expression_list = ""
+        for field in non_null_field_list:
+            expression = f"{field}: attribute(expression: {{ key: \"{field}\" }})"
+            expression_list = expression_list + expression + "\n"
+        return expression_list
+
     @staticmethod
     def datetime_to_string(d):
         return d.strftime(DATE_FORMAT)
@@ -333,6 +257,15 @@ def __init__(
         self.app_url = ""
         self.ignore_status_code_tuples = []
         self.environments = None
+        self.__mandatory_domain_event_field_list = ["actorCountry", "actorIpAddress", "apiId", "environment", "eventDescription",
+                                                    "id", "ipCategories", "name", "securityScoreCategory", "spanId",
+                                                    "statusCode", "timestamp", "traceId"]
+        self.__allowed_optional_domain_event_field_list = ["actorDevice", "actorEntityId", "actorId", "actorScoreCategory",
+                                                           "actorSession", "anomalousAttribute", "apiName", "apiUri",
+                                                           "category", "ipAbuseVelocity", "ipReputationLevel",
+                                                           "securityEventType", "securityScore", "serviceId", "serviceName",
+                                                           "actorScore", "threatCategory", "type"]
+        self.domain_event_field_list = []
         super().__init__(base_url, verify, proxy, ok_codes, headers, auth, timeout)
 
     def set_security_score_category_list(self, securityScoreCategoryList):
@@ -426,6 +359,32 @@ def is_ignored_status_code(self, status_code: int):
     def set_ignore_status_codes(self, status_code_list_string):
         self.ignore_status_code_tuples = self.__parse_status_code_strings(status_code_list_string)
 
+    def __process_domain_event_field_list(self, field_list: list):
+        demisto.log(f"List of allowed optional fields: {self.__allowed_optional_domain_event_field_list}")
+        demisto.log(f"Processing Option Field list: {field_list}")
+        final_list = []
+        final_list.extend(self.__mandatory_domain_event_field_list)
+
+        if field_list is not None and len(field_list) > 0:
+            for field in field_list:
+                if field in self.__allowed_optional_domain_event_field_list:
+                    final_list.append(field)
+                    demisto.log(f"Adding {field} to list of Incident fields to query.")
+                else:
+                    demisto.log(f"Ignoring {field} as it is not allowed.")
+        return final_list
+
+    def get_domain_event_query_fields(self):
+        if len(self.domain_event_field_list) == 0:
+            demisto.log(
+                "Optional incident field list was not provided. Initializing with minimum required fields:"
+                + f" {self.__mandatory_domain_event_field_list}")
+            self.set_domain_event_field_list(None)
+        return Helper.construct_field_selection_expression(self.domain_event_field_list)
+
+    def set_domain_event_field_list(self, field_list):
+        self.domain_event_field_list = self.__process_domain_event_field_list(field_list)
+
     def graphql_query(self, query, params={}, verify=False):
         demisto.debug("Entered from graphql_query")
         demisto.debug("Running request...")
@@ -546,12 +505,14 @@ def get_threat_events_query(
             ipCategories_clause,
             ipAbuseVelocity_clause,
         )
+
         demisto.info("Limit set to: " + str(self.limit))
         query = Template(get_threat_events_query).substitute(
             limit=self.limit,
             starttime=Helper.datetime_to_string(starttime),
             endtime=Helper.datetime_to_string(endtime),
             filter_by_clause=filter_by_clause,
+            field_list=self.get_domain_event_query_fields()
         )
         return query
 
@@ -707,14 +668,13 @@ def get_threat_events(
                 and domain_event["apiId"]["value"] != "null"
                 and domain_event["apiId"]["value"] in api_endpoint_details_map
                 and api_endpoint_details_map[domain_event["apiId"]["value"]] is not None
+                and "isExternal" in api_endpoint_details_map[domain_event["apiId"]["value"]]
                 and api_endpoint_details_map[domain_event["apiId"]["value"]][
                     "isExternal"
-                ]
-                is not None
+                ] is not None
                 and api_endpoint_details_map[domain_event["apiId"]["value"]][
                     "isExternal"
-                ]
-                != "null"
+                ] != "null"
             ):
                 if api_endpoint_details_map[domain_event["apiId"]["value"]][
                     "isExternal"
@@ -722,6 +682,79 @@ def get_threat_events(
                     domain_event["apiType"] = "External"
                 else:
                     domain_event["apiType"] = "Internal"
+            if (
+                "apiId" in domain_event
+                and "value" in domain_event["apiId"]
+                and domain_event["apiId"]["value"] is not None
+                and domain_event["apiId"]["value"] != "null"
+                and domain_event["apiId"]["value"] in api_endpoint_details_map
+                and api_endpoint_details_map[domain_event["apiId"]["value"]] is not None
+                and "isAuthenticated" in api_endpoint_details_map[domain_event["apiId"]["value"]]
+                and api_endpoint_details_map[domain_event["apiId"]["value"]][
+                    "isAuthenticated"
+                ] is not None
+                and api_endpoint_details_map[domain_event["apiId"]["value"]][
+                    "isAuthenticated"
+                ]
+                != "null"
+            ):
+                domain_event["apiIsAuthenticated"] = api_endpoint_details_map[domain_event["apiId"]["value"]]["isAuthenticated"]
+            if (
+                "apiId" in domain_event
+                and "value" in domain_event["apiId"]
+                and domain_event["apiId"]["value"] is not None
+                and domain_event["apiId"]["value"] != "null"
+                and domain_event["apiId"]["value"] in api_endpoint_details_map
+                and api_endpoint_details_map[domain_event["apiId"]["value"]] is not None
+                and "riskScore" in api_endpoint_details_map[domain_event["apiId"]["value"]]
+                and api_endpoint_details_map[domain_event["apiId"]["value"]][
+                    "riskScore"
+                ] is not None
+                and api_endpoint_details_map[domain_event["apiId"]["value"]][
+                    "riskScore"
+                ]
+                != "null"
+            ):
+                domain_event["apiRiskScore"] = api_endpoint_details_map[domain_event["apiId"]["value"]]["riskScore"]
+            if (
+                "apiId" in domain_event
+                and "value" in domain_event["apiId"]
+                and domain_event["apiId"]["value"] is not None
+                and domain_event["apiId"]["value"] != "null"
+                and domain_event["apiId"]["value"] in api_endpoint_details_map
+                and api_endpoint_details_map[domain_event["apiId"]["value"]] is not None
+                and "riskScoreCategory" in api_endpoint_details_map[domain_event["apiId"]["value"]]
+                and api_endpoint_details_map[domain_event["apiId"]["value"]][
+                    "riskScoreCategory"
+                ] is not None
+                and api_endpoint_details_map[domain_event["apiId"]["value"]][
+                    "riskScoreCategory"
+                ]
+                != "null"
+            ):
+                domain_event["apiRiskScoreCategory"] = api_endpoint_details_map[domain_event["apiId"]["value"]][
+                    "riskScoreCategory"
+                ]
+
+            if (
+                "apiId" in domain_event
+                and "value" in domain_event["apiId"]
+                and domain_event["apiId"]["value"] is not None
+                and domain_event["apiId"]["value"] != "null"
+                and domain_event["apiId"]["value"] in api_endpoint_details_map
+                and api_endpoint_details_map[domain_event["apiId"]["value"]] is not None
+                and "isLearnt" in api_endpoint_details_map[domain_event["apiId"]["value"]]
+                and api_endpoint_details_map[domain_event["apiId"]["value"]][
+                    "isLearnt"
+                ] is not None
+                and api_endpoint_details_map[domain_event["apiId"]["value"]][
+                    "isLearnt"
+                ]
+                != "null"
+            ):
+                domain_event["apiIsLearnt"] = api_endpoint_details_map[domain_event["apiId"]["value"]][
+                    "isLearnt"
+                ]
 
             if "ipAddressType" not in domain_event:
                 domain_event["ipAddressType"] = "Internal"
@@ -737,7 +770,6 @@ def get_threat_events(
                     + "?time=90d&env="
                     + parse.quote(domain_event["environment"]["value"])
                 )
-
             else:
                 domain_event["eventUrl"] = None
 
@@ -859,7 +891,9 @@ def main() -> None:
         span_fetch_threadpool = int(demisto.params().get("span_fetch_threadpool", 10))
         app_url = demisto.params().get("app_url", "https://app.traceable.ai")
         ipCategoriesList = demisto.params().get("ipCategories")
-        ignoreStatusCodes = demisto.params().get("ignoreStatusCodes", "400-499")
+        ignoreStatusCodes = demisto.params().get("ignoreStatusCodes", "")
+        optionalDomainEventFieldList = demisto.params().get("optionalDomainEventFieldList")
+        demisto.params().get("optionalAPIAttributes")
 
         _env = demisto.params().get("environment")
 
@@ -882,6 +916,8 @@ def main() -> None:
         client.set_ip_categories_list(ipCategoriesList)
         client.set_app_url(app_url)
         client.set_ignore_status_codes(ignoreStatusCodes)
+        client.set_domain_event_field_list(optionalDomainEventFieldList)
+        # client.set_optional_api_attributes(optionalAPIAttributes)
         client.set_limit(limit)
 
         if demisto.command() == "test-module":
diff --git a/Packs/Traceable/Integrations/Traceable/Traceable.yml b/Packs/Traceable/Integrations/Traceable/Traceable.yml
index 694ffe73c7c8..ac996a3d884f 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable.yml
+++ b/Packs/Traceable/Integrations/Traceable/Traceable.yml
@@ -130,6 +130,41 @@ configuration:
   defaultvalue: 400-499
   type: 0
   required: false
+- display: Incident pull optional field list
+  name: optionalDomainEventFieldList
+  defaultvalue: actorDevice,actorEntityId,actorId,actorScoreCategory,actorSession,anomalousAttribute,apiName,apiUri,category,ipAbuseVelocity,ipReputationLevel,securityEventType,securityScore,serviceId,serviceName,actorScore,threatCategory,type
+  options:
+  - actorDevice
+  - actorEntityId
+  - actorId
+  - actorScoreCategory
+  - actorSession
+  - anomalousAttribute
+  - apiName
+  - apiUri
+  - category
+  - ipAbuseVelocity
+  - ipReputationLevel
+  - securityEventType
+  - securityScore
+  - serviceId
+  - serviceName
+  - actorScore
+  - threatCategory
+  - type
+  type: 16
+  required: false
+- display: Pull Additional API Attributes
+  name: optionalAPIAttributes
+  defaultvalue: isExternal,isAuthenticated,riskScore,riskScoreCategory,isLearnt
+  options:
+  - isExternal
+  - isAuthenticated
+  - riskScore
+  - riskScoreCategory
+  - isLearnt
+  type: 16
+  required: false
 description: "Traceable Platform Integration enables publishing Traceable Detected Security Events to be published to Cortex Xsoar for further action."
 display: "Traceable"
 name: Traceable
diff --git a/Packs/Traceable/Integrations/Traceable/Traceable_test.py b/Packs/Traceable/Integrations/Traceable/Traceable_test.py
index 05d2265d3132..7ec4b2fcf596 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable_test.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable_test.py
@@ -67,6 +67,7 @@
           "name": "POST /cart",
           "isExternal": true,
           "isAuthenticated": true,
+          "isLearnt": true,
           "riskScore": 2,
           "riskScoreCategory": "LOW"
         },
@@ -74,6 +75,7 @@
           "id": "067bb0d7-3740-3ba6-89eb-c457491fbc53",
           "name": "POST /get_user",
           "isExternal": true,
+          "isLearnt": true,
           "isAuthenticated": true,
           "riskScore": 3,
           "riskScoreCategory": "MEDIUM"
@@ -82,6 +84,44 @@
           "id": "be344182-c100-3287-874a-cb47eac709f2",
           "name": "POST /cart",
           "isExternal": false,
+          "isLearnt": true,
+          "isAuthenticated": true,
+          "riskScore": 2,
+          "riskScoreCategory": "LOW"
+        }
+      ],
+      "total": 3
+    }
+  }
+}"""
+
+sample_private_api_result = """{
+  "data": {
+    "entities": {
+      "results": [
+        {
+          "id": "ea0f77c0-adc2-3a69-89ea-93b1c8341d8f",
+          "name": "POST /cart",
+          "isExternal": false,
+          "isLearnt": true,
+          "isAuthenticated": true,
+          "riskScore": 2,
+          "riskScoreCategory": "LOW"
+        },
+        {
+          "id": "067bb0d7-3740-3ba6-89eb-c457491fbc53",
+          "name": "POST /get_user",
+          "isExternal": false,
+          "isLearnt": true,
+          "isAuthenticated": true,
+          "riskScore": 3,
+          "riskScoreCategory": "MEDIUM"
+        },
+        {
+          "id": "be344182-c100-3287-874a-cb47eac709f2",
+          "name": "POST /cart",
+          "isExternal": false,
+          "isLearnt": true,
           "isAuthenticated": true,
           "riskScore": 2,
           "riskScoreCategory": "LOW"
@@ -479,7 +519,6 @@ def response_handler_private_ip(*args, **kwargs):
 
 def empty_api_response_handler(*args, **kwargs):
     data: str = kwargs["json"]["query"]
-
     r = Response()
     if "DOMAIN_EVENT" in data:
         r.text = sample_domain_event_empty_api
@@ -493,6 +532,36 @@ def empty_api_response_handler(*args, **kwargs):
     return None
 
 
+def public_api_type_response_handler(*args, **kwargs):
+    data: str = kwargs["json"]["query"]
+    r = Response()
+    if "DOMAIN_EVENT" in data:
+        r.text = sample_domain_event
+        return r
+    elif "spans(" in data:
+        r.text = sample_span_result
+        return r
+    elif "entities(" in data:
+        r.text = sample_api_result
+        return r
+    return None
+
+
+def private_api_type_response_handler(*args, **kwargs):
+    data: str = kwargs["json"]["query"]
+    r = Response()
+    if "DOMAIN_EVENT" in data:
+        r.text = sample_domain_event_with_private_ip
+        return r
+    elif "spans(" in data:
+        r.text = sample_span_result
+        return r
+    elif "entities(" in data:
+        r.text = sample_private_api_result
+        return r
+    return None
+
+
 def test_fetch_incidents_last_fetch_none(mocker):
     from Traceable import Client, fetch_incidents
     import urllib3
@@ -530,7 +599,6 @@ def test_fetch_incidents_no_linked_api(mocker):
 
     client = Client(base_url="https://mock.url", verify=False, headers=headers)
     client.set_security_score_category_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
-    # client.set_threat_category_list(threatCategoryList)
     client.set_ip_reputation_level_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
     client.set_ip_abuse_velocity_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
     client.set_limit(100)
@@ -544,6 +612,59 @@ def test_fetch_incidents_no_linked_api(mocker):
     assert rawJSON["apiType"] == "Unknown"
 
 
+def test_fetch_incidents_public_api_type(mocker):
+    from Traceable import Client, fetch_incidents
+    import urllib3
+    import json
+
+    urllib3.disable_warnings()
+    headers = {}
+    headers["Content-Type"] = "application/json"
+    headers["Accept"] = "application/json"
+
+    client = Client(base_url="https://mock.url", verify=False, headers=headers)
+    client.set_security_score_category_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_ip_reputation_level_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_ip_abuse_velocity_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_limit(100)
+
+    mocked_post = mocker.patch("requests.post")
+    mocked_post.side_effect = public_api_type_response_handler
+
+    next_run, incidents = fetch_incidents(client, {"last_fetch": None}, "3 days")
+    assert len(incidents) == 1
+    rawJSON = json.loads(incidents[0]["rawJSON"])
+    assert rawJSON["apiType"] == "External"
+
+
+def test_fetch_incidents_private_api_type(mocker):
+    from Traceable import Client, fetch_incidents
+    import urllib3
+    import json
+
+    urllib3.disable_warnings()
+    headers = {}
+    headers["Content-Type"] = "application/json"
+    headers["Accept"] = "application/json"
+
+    client = Client(base_url="https://mock.url", verify=False, headers=headers)
+    client.set_security_score_category_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_ip_reputation_level_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_ip_abuse_velocity_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_limit(100)
+
+    mocked_post = mocker.patch("requests.post")
+    mocked_post.side_effect = private_api_type_response_handler
+
+    next_run, incidents = fetch_incidents(client, {"last_fetch": None}, "3 days")
+    assert len(incidents) == 1
+    rawJSON = json.loads(incidents[0]["rawJSON"])
+    assert rawJSON["apiType"] == "Internal"
+    assert rawJSON["apiIsAuthenticated"]
+    assert rawJSON["apiRiskScore"] == 3
+    assert rawJSON["apiRiskScoreCategory"] == 'MEDIUM'
+
+
 def test_fetch_incidents_last_fetch_not_none(mocker):
     from Traceable import Client, fetch_incidents
     import urllib3
@@ -798,44 +919,96 @@ def test_get_threat_events_query(capfd):
     import urllib3
 
     output_query = (
-        """{\n  explore(\n    scope: "DOMAIN_EVENT"\n    limit: 100\n    between: {\n      startTime"""
-        + """: "2023-06-20T15:34:56Z"\n      endTime: "2023-06-26T15:34:53Z"\n    }\n    offset: 0\n    filterBy: [{k"""
-        + """eyExpression: {key: "securityScoreCategory"}, operator: IN, value: ["CRITICAL","HIGH","MEDIUM","LOW"], t"""
-        + """ype: ATTRIBUTE},{keyExpression: {key: "ipReputationLevel"}, operator: IN, value: ["CRITICAL","HIGH","MED"""
-        + """IUM","LOW","UNKNOWN"], type: ATTRIBUTE},{keyExpression: {key: "ipCategories"}, operator: IN, value: ["IP"""
-        + """_LOCATION_TYPE_UNSPECIFIED","IP_LOCATION_TYPE_ANONYMOUS_VPN","IP_LOCATION_TYPE_HOSTING_PROVIDER","IP_LOC"""
-        + """ATION_TYPE_PUBLIC_PROXY","IP_LOCATION_TYPE_TOR_EXIT_NODE","IP_LOCATION_TYPE_BOT"], type: ATTRIBUTE},{key"""
-        + """Expression: {key: "ipAbuseVelocity"}, operator: IN, value: ["CRITICAL","HIGH","MEDIUM","LOW","IP_ABUSE_V"""
-        + """ELOCITY_UNSPECIFIED"], type: ATTRIBUTE}]\n    orderBy: [\n      { keyExpression: { key: "timestamp" } }"""
-        + """\n    ]\n  ) {\n    results {\n      threatCategory: selection(expression: {key: "threatCategory"}) {\n """
-        + """       value\n      }\n      id: selection(expression: { key: "id" }) {\n        value\n      }\n      n"""
-        + """ame: selection(expression: { key: "name" }) {\n        value\n      }\n      type: selection(expression:"""
-        + """ { key: "type" }) {\n        value\n      }\n      environment: selection(expression: { key: "environmen"""
-        + """t" }) {\n        value\n      }\n      serviceName: selection(expression: { key: "serviceName" }) {\n   """
-        + """     value\n      }\n      apiName: selection(expression: { key: "apiName" }) {\n        value\n      }"""
-        + """\n      apiId: selection(expression: { key: "apiId"}) {\n        value\n      }\n      serviceId: select"""
-        + """ion(expression: { key: "serviceId" }) {\n        value\n      }\n      threatActorScore: selection(expre"""
-        + """ssion: { key: "actorScore" }) {\n        value\n      }\n      anomalousAttribute: selection(expression:"""
-        + """ { key: "anomalousAttribute" }) {\n        value\n      }\n      eventDescription: selection(expression:"""
-        + """ { key: "eventDescription" }) {\n        value\n      }\n      actorId: selection(expression: { key: "ac"""
-        + """torId" }) {\n        value\n      }\n      actorCountry: selection(expression: { key: "actorCountry" }) """
-        + """{\n        value\n      }\n      actorIpAddress: selection(expression: { key: "actorIpAddress" }) {\n   """
-        + """     value\n      }\n      actorDevice: selection(expression: { key: "actorDevice" }) {\n        value\n"""
-        + """      }\n      apiUri: selection(expression: { key: "apiUri" }) {\n        value\n      }\n      traceId"""
-        + """: selection(expression: { key: "traceId" }) {\n        value\n      }\n      statusCode: selection(expre"""
-        + """ssion: { key: "statusCode" }) {\n        value\n      }\n      actorEntityId: selection(expression: { ke"""
-        + """y: "actorEntityId" }) {\n        value\n      }\n      actorScoreCategory: selection(expression: { key: """
-        + """"actorScoreCategory" }) {\n        value\n      }\n      securityScoreCategory: selection(\n        expr"""
-        + """ession: { key: "securityScoreCategory" }\n      ) {\n        value\n      }\n      securityScore: select"""
-        + """ion(expression: { key: "securityScore" }) {\n        value\n      }\n      category: selection(expressio"""
-        + """n: { key: "category" }) {\n        value\n      }\n      securityEventType: selection(expression: { key:"""
-        + """ "securityEventType" }) {\n        value\n      }\n      ipCategories: selection(expression: { key: "ipC"""
-        + """ategories" }) {\n        value\n      }\n      ipReputationLevel: selection(expression: { key: "ipReputa"""
-        + """tionLevel" }) {\n        value\n      }\n      ipAbuseVelocity: selection(expression: { key: "ipAbuseVel"""
-        + """ocity" }) {\n        value\n      }\n      spanId: selection(expression: { key: "spanId" }) {\n        v"""
-        + """alue\n      }\n      actorSession: selection(expression: { key: "actorSession" }) {\n        value\n    """
-        + """  }\n      timestamp: selection(expression: { key: "timestamp" }) {\n        value\n      }\n    }\n  }"""
-        + """\n}\n"""
+        '{\n  explore(\n    scope: "DOMAIN_EVENT"\n    limit: 100\n    between: {\n      startTime: "2023-06-20T15:34'
+        + ':56Z"\n      endTime: "2023-06-26T15:34:53Z"\n    }\n    offset: 0\n    filterBy: [{keyExpression: {key'
+        + ': "securityScoreCategory"}, operator: IN, value: ["CRITICAL","HIGH","MEDIUM","LOW"], type: ATTRIBUTE},{'
+        + 'keyExpression: {key: "ipReputationLevel"}, operator: IN, value: ["CRITICAL","HIGH","MEDIUM","LOW","UNKN'
+        + 'OWN"], type: ATTRIBUTE},{keyExpression: {key: "ipCategories"}, operator: IN, value: ["IP_LOCATION_TYPE_'
+        + 'UNSPECIFIED","IP_LOCATION_TYPE_ANONYMOUS_VPN","IP_LOCATION_TYPE_HOSTING_PROVIDER","IP_LOCATION_TYPE_PUB'
+        + 'LIC_PROXY","IP_LOCATION_TYPE_TOR_EXIT_NODE","IP_LOCATION_TYPE_BOT"], type: ATTRIBUTE},{keyExpression: {'
+        + 'key: "ipAbuseVelocity"}, operator: IN, value: ["CRITICAL","HIGH","MEDIUM","LOW","IP_ABUSE_VELOCITY_UNSP'
+        + 'ECIFIED"], type: ATTRIBUTE}]\n    orderBy: [\n      { keyExpression: { key: "timestamp" } }\n    ]\n  )'
+        + ' {\n    results {\n        actorCountry: selection(expression: {key: "actorCountry"}) { value }\nactorI'
+        + 'pAddress: selection(expression: {key: "actorIpAddress"}) { value }\napiId: selection(expression: {key: '
+        + '"apiId"}) { value }\nenvironment: selection(expression: {key: "environment"}) { value }\neventDescripti'
+        + 'on: selection(expression: {key: "eventDescription"}) { value }\nid: selection(expression: {key: "id"}) '
+        + '{ value }\nipCategories: selection(expression: {key: "ipCategories"}) { value }\nname: selection(expres'
+        + 'sion: {key: "name"}) { value }\nsecurityScoreCategory: selection(expression: {key: "securityScoreCatego'
+        + 'ry"}) { value }\nspanId: selection(expression: {key: "spanId"}) { value }\nstatusCode: selection(expres'
+        + 'sion: {key: "statusCode"}) { value }\ntimestamp: selection(expression: {key: "timestamp"}) { value }\nt'
+        + 'raceId: selection(expression: {key: "traceId"}) { value }\nactorDevice: selection(expression: {key: "ac'
+        + 'torDevice"}) { value }\nactorEntityId: selection(expression: {key: "actorEntityId"}) { value }\nactorId'
+        + ': selection(expression: {key: "actorId"}) { value }\nactorScoreCategory: selection(expression: {key: "a'
+        + 'ctorScoreCategory"}) { value }\nactorSession: selection(expression: {key: "actorSession"}) { value }\na'
+        + 'nomalousAttribute: selection(expression: {key: "anomalousAttribute"}) { value }\napiName: selection(exp'
+        + 'ression: {key: "apiName"}) { value }\napiUri: selection(expression: {key: "apiUri"}) { value }\ncategor'
+        + 'y: selection(expression: {key: "category"}) { value }\nipAbuseVelocity: selection(expression: {key: "ip'
+        + 'AbuseVelocity"}) { value }\nipReputationLevel: selection(expression: {key: "ipReputationLevel"}) { valu'
+        + 'e }\nsecurityEventType: selection(expression: {key: "securityEventType"}) { value }\nsecurityScore: sel'
+        + 'ection(expression: {key: "securityScore"}) { value }\nserviceId: selection(expression: {key: "serviceId'
+        + '"}) { value }\nserviceName: selection(expression: {key: "serviceName"}) { value }\nactorScore: selectio'
+        + 'n(expression: {key: "actorScore"}) { value }\nthreatCategory: selection(expression: {key: "threatCatego'
+        + 'ry"}) { value }\ntype: selection(expression: {key: "type"}) { value }\n\n    }\n  }\n}\n'
+    )
+
+    starttime = datetime.strptime("2023-06-20T15:34:56Z", DATE_FORMAT)
+    endtime = datetime.strptime("2023-06-26T15:34:53Z", DATE_FORMAT)
+    urllib3.disable_warnings()
+    headers = {}
+    headers["Content-Type"] = "application/json"
+    headers["Accept"] = "application/json"
+
+    client = Client(base_url="https://mock.url", verify=False, headers=headers)
+    client.set_security_score_category_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    # client.set_threat_category_list(threatCategoryList)
+    client.set_ip_reputation_level_list(
+        ["CRITICAL", "HIGH", "MEDIUM", "LOW", "UNKNOWN"]
+    )
+    client.set_ip_abuse_velocity_list(["CRITICAL", "HIGH", "MEDIUM", "LOW", "UNKNOWN"])
+    client.set_ip_categories_list(
+        [
+            "Unknown",
+            "Anonymous VPN",
+            "Hosting Provider",
+            "Public Proxy",
+            "TOR Exit Node",
+            "BOT",
+        ]
+    )
+    client.set_domain_event_field_list([
+        "actorDevice", "actorEntityId", "actorId", "actorScoreCategory", "actorSession", "anomalousAttribute", "apiName",
+        "apiUri", "category", "ipAbuseVelocity", "ipReputationLevel", "securityEventType", "securityScore", "serviceId",
+        "serviceName", "actorScore", "threatCategory", "type", "nonexistent"])
+    client.set_limit(100)
+
+    query = client.get_threat_events_query(starttime, endtime)
+    assert query == output_query
+    capfd.readouterr()
+
+
+def test_get_threat_events_query_no_optional_fields(capfd):
+    from Traceable import Client, DATE_FORMAT
+    from datetime import datetime
+    import urllib3
+
+    output_query = (
+        '{\n  explore(\n    scope: "DOMAIN_EVENT"\n    limit: 100\n    between: {\n      startTime: "2023-06-20T15:34:5'
+        + '6Z"\n      endTime: "2023-06-26T15:34:53Z"\n    }\n    offset: 0\n    filterBy: [{keyExpression: {key: "secu'
+        + 'rityScoreCategory"}, operator: IN, value: ["CRITICAL","HIGH","MEDIUM","LOW"], type: ATTRIBUTE},{keyExpressio'
+        + 'n: {key: "ipReputationLevel"}, operator: IN, value: ["CRITICAL","HIGH","MEDIUM","LOW","UNKNOWN"], type: ATTR'
+        + 'IBUTE},{keyExpression: {key: "ipCategories"}, operator: IN, value: ["IP_LOCATION_TYPE_UNSPECIFIED","IP_LOCAT'
+        + 'ION_TYPE_ANONYMOUS_VPN","IP_LOCATION_TYPE_HOSTING_PROVIDER","IP_LOCATION_TYPE_PUBLIC_PROXY","IP_LOCATION_TYP'
+        + 'E_TOR_EXIT_NODE","IP_LOCATION_TYPE_BOT"], type: ATTRIBUTE},{keyExpression: {key: "ipAbuseVelocity"}, operato'
+        + 'r: IN, value: ["CRITICAL","HIGH","MEDIUM","LOW","IP_ABUSE_VELOCITY_UNSPECIFIED"], type: ATTRIBUTE}]\n    ord'
+        + 'erBy: [\n      { keyExpression: { key: "timestamp" } }\n    ]\n  ) {\n    results {\n        actorCountry: s'
+        + 'election(expression: {key: "actorCountry"}) { value }\nactorIpAddress: selection(expression: {key: "actorIpA'
+        + 'ddress"}) { value }\napiId: selection(expression: {key: "apiId"}) { value }\nenvironment: selection(expressi'
+        + 'on: {key: "environment"}) { value }\neventDescription: selection(expression: {key: "eventDescription"}) { va'
+        + 'lue }\nid: selection(expression: {key: "id"}) { value }\nipCategories: selection(expression: {key: "ipCatego'
+        + 'ries"}) { value }\nname: selection(expression: {key: "name"}) { value }\nsecurityScoreCategory: selection(ex'
+        + 'pression: {key: "securityScoreCategory"}) { value }\nspanId: selection(expression: {key: "spanId"}) { value '
+        + '}\nstatusCode: selection(expression: {key: "statusCode"}) { value }\ntimestamp: selection(expression: {key: '
+        + '"timestamp"}) { value }\ntraceId: selection(expression: {key: "traceId"}) { value }\n\n    }\n  }\n}\n'
     )
 
     starttime = datetime.strptime("2023-06-20T15:34:56Z", DATE_FORMAT)
@@ -932,15 +1105,15 @@ def test_get_api_endpoint_details_query():
         Helper.string_to_datetime("2023-07-24T09:07:59Z"),
     )
     expected_query = (
-        'query entities\n{\n  entities(\n    scope: "API"\n    limit: 100\n    between: '
-        + '{\n      startTime: "2023-07-23T09:07:59Z"\n      endTime: "2023-07-24T09:07:59Z"\n    }\n    of'
-        + 'fset: 0\n    filterBy: [{keyExpression: {key: "id"}, operator: IN, value: ["067bb0d7-3740-3ba6-8'
-        + '9eb-c457491fbc53","ea0f77c0-adc2-3a69-89ea-93b1c8341d8f","be344182-c100-3287-874a-cb47eac709f2"]'
-        + ', type: ATTRIBUTE}]\n  ) {\n    results {\n      id\n      name: attribute(expression: { key: "n'
-        + 'ame" })\n      isExternal: attribute(expression: { key: "isExternal" })\n      isAuthenticated: '
-        + 'attribute(expression: { key: "isAuthenticated" })\n      riskScore: attribute(expression: { key:'
-        + ' "riskScore" })\n      riskScoreCategory: attribute(expression: { key: "riskScoreCategory" })\n '
-        + "   }\n    total\n  }\n}"
+        'query entities\n{\n  entities(\n    scope: "API"\n    limit: 100\n    between: {\n      startTime: "2023-07-23'
+        + 'T09:07:59Z"\n      endTime: "2023-07-24T09:07:59Z"\n    }\n    offset: 0\n    filterBy: [{keyExpression: {ke'
+        + 'y: "id"}, operator: IN, value: ["067bb0d7-3740-3ba6-89eb-c457491fbc53","ea0f77c0-adc2-3a69-89ea-93b1c8341d8f'
+        + '","be344182-c100-3287-874a-cb47eac709f2"], type: ATTRIBUTE}]\n  ) {\n    results {\n      id\n      isExtern'
+        + 'al: attribute(expression: { key: "isExternal" })\n      isAuthenticated: attribute(expression: { key: "isAut'
+        + 'henticated" })\n      riskScore: attribute(expression: { key: "riskScore" })\n      riskScoreCategory: attri'
+        + 'bute(expression: { key: "riskScoreCategory" })\n      isLearnt: attribute(expression: { key: "isLearnt" })\n'
+        + '    }\n    total\n  }\n}'
+
     )
 
     assert query == expected_query
@@ -1003,7 +1176,8 @@ def test_fetch_incident_with_private_ipaddress(mocker):
     next_run, incidents = fetch_incidents(client, {"last_fetch": None}, "3 days")
     assert len(incidents) == 1
     assert incidents[0]["ipAddressType"] == "Internal"
-    assert incidents[0]["eventUrl"] == "https://app.mock.url/security-event/9dd9261a-23db-472e-9d2a-a4c3227d6502?time=90d&env=Fintech_app"
+    assert incidents[0]["eventUrl"] == ('https://app.mock.url/security-event/9dd9261a-23db-472e-9d2a-a4c3227d6502?time='
+                                        + '90d&env=Fintech_app')
 
 
 def test_ignore_ranges_parsing():
@@ -1091,3 +1265,56 @@ def test_is_ignored_range():
     assert client.is_ignored_status_code(450)
     assert client.is_ignored_status_code(499)
     assert not client.is_ignored_status_code(500)
+
+
+def test_process_domain_field_list():
+    from Traceable import Client
+    headers = {"Content-Type": "application/json", "Accept": "application/json"}
+    client = Client(base_url="https://mock.url", verify=False, headers=headers)
+    client.set_domain_event_field_list([
+        "actorDevice", "actorEntityId", "actorId", "actorScoreCategory", "actorSession", "anomalousAttribute", "apiName",
+        "apiUri", "category", "ipAbuseVelocity", "ipReputationLevel", "securityEventType", "securityScore", "serviceId",
+        "serviceName", "actorScore", "threatCategory", "type", "nonexistent"])
+    assert len(client.domain_event_field_list) == 31
+    client.set_domain_event_field_list([
+        "actorDevice", "actorEntityId", "actorId", "actorScoreCategory", "actorSession", "anomalousAttribute", "apiName",
+        "apiUri", "category", "ipAbuseVelocity", "ipReputationLevel", "securityEventType", "securityScore", "serviceId",
+        "serviceName", "actorScore", "threatCategory"])
+    assert len(client.domain_event_field_list) == 30
+    client.set_domain_event_field_list([])
+    assert len(client.domain_event_field_list) == 13
+    client.set_domain_event_field_list(None)
+    assert len(client.domain_event_field_list) == 13
+
+
+def test_construct_field_selection_expression():
+    from Traceable import Client
+    headers = {"Content-Type": "application/json", "Accept": "application/json"}
+    client = Client(base_url="https://mock.url", verify=False, headers=headers)
+    client.set_domain_event_field_list([
+        "actorDevice", "actorEntityId", "actorId", "actorScoreCategory", "actorSession", "anomalousAttribute", "apiName",
+        "apiUri", "category", "ipAbuseVelocity", "ipReputationLevel", "securityEventType", "securityScore", "serviceId",
+        "serviceName", "actorScore", "threatCategory", "type", "nonexistent"])
+    expression_string = client.get_domain_event_query_fields()
+    expected_output = 'actorCountry: selection(expression: {key: "actorCountry"}) { value }\nactorIpAddress: ' \
+        + 'selection(expression: {key: "actorIpAddress"}) { value }\napiId: selection(expression: {key: "apiId"}) ' \
+        + '{ value }\nenvironment: selection(expression: {key: "environment"}) { value }\neventDescription: selection' \
+        + '(expression: {key: "eventDescription"}) { value }\nid: selection(expression: {key: "id"}) { value }\n' \
+        + 'ipCategories: selection(expression: {key: "ipCategories"}) { value }\nname: selection(expression: {key: ' \
+        + '"name"}) { value }\nsecurityScoreCategory: selection(expression: {key: "securityScoreCategory"}) { value }\n' \
+        + 'spanId: selection(expression: {key: "spanId"}) { value }\nstatusCode: selection(expression: {key: ' \
+        + '"statusCode"}) { value }\ntimestamp: selection(expression: {key: "timestamp"}) { value }\ntraceId: '\
+        + 'selection(expression: {key: "traceId"}) { value }\nactorDevice: selection(expression: {key: "actorDevice'\
+        + '"}) { value }\nactorEntityId: selection(expression: {key: "actorEntityId"}) { value }\nactorId: selection(' \
+        + 'expression: {key: "actorId"}) { value }\nactorScoreCategory: selection(expression: {key: "actorScoreCategory' \
+        + '"}) { value }\nactorSession: selection(expression: {key: "actorSession"}) { value }\nanomalousAttribute: ' \
+        + 'selection(expression: {key: "anomalousAttribute"}) { value }\napiName: selection(expression: {key: "apiName' \
+        + '"}) { value }\napiUri: selection(expression: {key: "apiUri"}) { value }\ncategory: selection(expression: ' \
+        + '{key: "category"}) { value }\nipAbuseVelocity: selection(expression: {key: "ipAbuseVelocity"}) { ' \
+        + 'value }\nipReputationLevel: selection(expression: {key: "ipReputationLevel"}) { value }\nsecurityEventType' \
+        + ': selection(expression: {key: "securityEventType"}) { value }\nsecurityScore: selection(expression: ' \
+        + '{key: "securityScore"}) { value }\nserviceId: selection(expression: {key: "serviceId"}) { value }\n' \
+        + 'serviceName: selection(expression: {key: "serviceName"}) { value }\nactorScore: selection(expression: ' \
+        + '{key: "actorScore"}) { value }\nthreatCategory: selection(expression: {key: "threatCategory"}) { value ' \
+        + '}\ntype: selection(expression: {key: "type"}) { value }\n'
+    assert expression_string == expected_output

From 4e659b206c13ea6e75371f4c1e9d01d734ac4c59 Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Mon, 21 Aug 2023 02:23:37 -0700
Subject: [PATCH 04/23] - Changes for api attribute selections - Additional
 unit tests

---
 .../Integrations/Traceable/Traceable.py       | 71 +++++++++++++------
 .../Integrations/Traceable/Traceable_test.py  | 70 ++++++++++++++++--
 2 files changed, 113 insertions(+), 28 deletions(-)

diff --git a/Packs/Traceable/Integrations/Traceable/Traceable.py b/Packs/Traceable/Integrations/Traceable/Traceable.py
index 3a5e61c3fdfc..23791d88088e 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable.py
@@ -99,7 +99,6 @@
       spanRequestHeaders: attribute(expression: { key: "spanRequestHeaders" })
       spanRequestCookies: attribute(expression: { key: "spanRequestCookies" })
     }
-    # total
   }
 }
 """
@@ -118,13 +117,8 @@
   ) {
     results {
       id
-      isExternal: attribute(expression: { key: "isExternal" })
-      isAuthenticated: attribute(expression: { key: "isAuthenticated" })
-      riskScore: attribute(expression: { key: "riskScore" })
-      riskScoreCategory: attribute(expression: { key: "riskScoreCategory" })
-      isLearnt: attribute(expression: { key: "isLearnt" })
+      $fields_list
     }
-    total
   }
 }"""
 
@@ -265,7 +259,12 @@ def __init__(
                                                            "category", "ipAbuseVelocity", "ipReputationLevel",
                                                            "securityEventType", "securityScore", "serviceId", "serviceName",
                                                            "actorScore", "threatCategory", "type"]
+        self.__allowed_optional_api_atrributes = [
+            "isExternal", "isAuthenticated", "riskScore", "riskScoreCategory", "isLearnt"
+        ]
+        self.optional_api_attributes = []
         self.domain_event_field_list = []
+        self.__query_api_attributes = False
         super().__init__(base_url, verify, proxy, ok_codes, headers, auth, timeout)
 
     def set_security_score_category_list(self, securityScoreCategoryList):
@@ -367,7 +366,7 @@ def __process_domain_event_field_list(self, field_list: list):
 
         if field_list is not None and len(field_list) > 0:
             for field in field_list:
-                if field in self.__allowed_optional_domain_event_field_list:
+                if field in self.__allowed_optional_domain_event_field_list and field not in final_list:
                     final_list.append(field)
                     demisto.log(f"Adding {field} to list of Incident fields to query.")
                 else:
@@ -385,6 +384,17 @@ def get_domain_event_query_fields(self):
     def set_domain_event_field_list(self, field_list):
         self.domain_event_field_list = self.__process_domain_event_field_list(field_list)
 
+    def set_optional_api_attributes(self, field_list):
+        if len(field_list) == 0:
+            field_list = []
+        final_attributes_list = []
+        for attribute in field_list:
+            if attribute in self.__allowed_optional_api_atrributes and attribute not in final_attributes_list:
+                final_attributes_list.append(attribute)
+        self.optional_api_attributes = final_attributes_list
+        if len(self.optional_api_attributes) > 0:
+            self.__query_api_attributes = True
+
     def graphql_query(self, query, params={}, verify=False):
         demisto.debug("Entered from graphql_query")
         demisto.debug("Running request...")
@@ -520,8 +530,10 @@ def get_api_endpoint_details_query(self, api_id_list, starttime, endtime):
         filter_by_clause = Helper.construct_filterby_expression(
             Helper.construct_key_expression("id", api_id_list)
         )
+        fields_list = Helper.construct_field_attribute_expression(self.optional_api_attributes)
         return Template(api_entities_query).substitute(
             filter_by_clause=filter_by_clause,
+            fields_list=fields_list,
             limit=self.limit,
             starttime=Helper.datetime_to_string(starttime),
             endtime=Helper.datetime_to_string(endtime),
@@ -603,13 +615,17 @@ def get_threat_events(
                 future_list.append((domain_event, future))
                 demisto.info("Completed thread for span retrieval")
 
-        api_endpoint_details = self.get_api_endpoint_details(
-            api_id_list, starttime, endtime
-        )
-        api_endpoint_details_map = {
-            api_endpoint_detail["id"]: api_endpoint_detail
-            for api_endpoint_detail in api_endpoint_details
-        }
+        api_endpoint_details = []
+        api_endpoint_details_map = {}
+
+        if self.__query_api_attributes:
+            api_endpoint_details = self.get_api_endpoint_details(
+                api_id_list, starttime, endtime
+            )
+            api_endpoint_details_map = {
+                api_endpoint_detail["id"]: api_endpoint_detail
+                for api_endpoint_detail in api_endpoint_details
+            }
         api_endpoint_details = None
 
         for domain_event, future in future_list:
@@ -662,7 +678,9 @@ def get_threat_events(
                     domain_event["ipAddressType"] = "External"
 
             if (
-                "apiId" in domain_event
+                self.__query_api_attributes
+                and "isExternal" in self.optional_api_attributes
+                and "apiId" in domain_event
                 and "value" in domain_event["apiId"]
                 and domain_event["apiId"]["value"] is not None
                 and domain_event["apiId"]["value"] != "null"
@@ -683,7 +701,9 @@ def get_threat_events(
                 else:
                     domain_event["apiType"] = "Internal"
             if (
-                "apiId" in domain_event
+                self.__query_api_attributes
+                and "isAuthenticated" in self.optional_api_attributes
+                and "apiId" in domain_event
                 and "value" in domain_event["apiId"]
                 and domain_event["apiId"]["value"] is not None
                 and domain_event["apiId"]["value"] != "null"
@@ -700,7 +720,9 @@ def get_threat_events(
             ):
                 domain_event["apiIsAuthenticated"] = api_endpoint_details_map[domain_event["apiId"]["value"]]["isAuthenticated"]
             if (
-                "apiId" in domain_event
+                self.__query_api_attributes
+                and "riskScore" in self.optional_api_attributes
+                and "apiId" in domain_event
                 and "value" in domain_event["apiId"]
                 and domain_event["apiId"]["value"] is not None
                 and domain_event["apiId"]["value"] != "null"
@@ -717,7 +739,9 @@ def get_threat_events(
             ):
                 domain_event["apiRiskScore"] = api_endpoint_details_map[domain_event["apiId"]["value"]]["riskScore"]
             if (
-                "apiId" in domain_event
+                self.__query_api_attributes
+                and "riskScoreCategory" in self.optional_api_attributes
+                and "apiId" in domain_event
                 and "value" in domain_event["apiId"]
                 and domain_event["apiId"]["value"] is not None
                 and domain_event["apiId"]["value"] != "null"
@@ -737,7 +761,9 @@ def get_threat_events(
                 ]
 
             if (
-                "apiId" in domain_event
+                self.__query_api_attributes
+                and "isLearnt" in self.optional_api_attributes
+                and "apiId" in domain_event
                 and "value" in domain_event["apiId"]
                 and domain_event["apiId"]["value"] is not None
                 and domain_event["apiId"]["value"] != "null"
@@ -759,7 +785,7 @@ def get_threat_events(
             if "ipAddressType" not in domain_event:
                 domain_event["ipAddressType"] = "Internal"
 
-            if "apiType" not in domain_event:
+            if "apiType" not in domain_event and self.__query_api_attributes and "isExternal" in self.optional_api_attributes:
                 domain_event["apiType"] = "Unknown"
 
             if ("id" in domain_event and "value" in domain_event["id"] and self.app_url != ""
@@ -893,6 +919,7 @@ def main() -> None:
         ipCategoriesList = demisto.params().get("ipCategories")
         ignoreStatusCodes = demisto.params().get("ignoreStatusCodes", "")
         optionalDomainEventFieldList = demisto.params().get("optionalDomainEventFieldList")
+        optionalAPIAttributes = demisto.params().get("optionalAPIAttributes")
         demisto.params().get("optionalAPIAttributes")
 
         _env = demisto.params().get("environment")
@@ -917,7 +944,7 @@ def main() -> None:
         client.set_app_url(app_url)
         client.set_ignore_status_codes(ignoreStatusCodes)
         client.set_domain_event_field_list(optionalDomainEventFieldList)
-        # client.set_optional_api_attributes(optionalAPIAttributes)
+        client.set_optional_api_attributes(optionalAPIAttributes)
         client.set_limit(limit)
 
         if demisto.command() == "test-module":
diff --git a/Packs/Traceable/Integrations/Traceable/Traceable_test.py b/Packs/Traceable/Integrations/Traceable/Traceable_test.py
index 7ec4b2fcf596..1521707e031f 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable_test.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable_test.py
@@ -584,7 +584,9 @@ def test_fetch_incidents_last_fetch_none(mocker):
     next_run, incidents = fetch_incidents(client, {"last_fetch": None}, "3 days")
     assert len(incidents) == 1
     assert incidents[0]["ipAddressType"] == "External"
-    assert incidents[0]["eventUrl"] == "https://app.mock.url/security-event/9dd9261a-23db-472e-9d2a-a4c3227d6502?time=90d&env=Fintech_app"
+    assert incidents[0]["eventUrl"] == (
+        'https://app.mock.url/security-event/9dd9261a-23db-472e-9d2a-a4c3227d6502?time=90d&env=Fintech_app'
+    )
 
 
 def test_fetch_incidents_no_linked_api(mocker):
@@ -601,6 +603,7 @@ def test_fetch_incidents_no_linked_api(mocker):
     client.set_security_score_category_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
     client.set_ip_reputation_level_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
     client.set_ip_abuse_velocity_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_optional_api_attributes(["isExternal"])
     client.set_limit(100)
 
     mocked_post = mocker.patch("requests.post")
@@ -626,6 +629,7 @@ def test_fetch_incidents_public_api_type(mocker):
     client.set_security_score_category_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
     client.set_ip_reputation_level_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
     client.set_ip_abuse_velocity_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_optional_api_attributes(["isExternal", "isAuthenticated", "riskScore", "riskScoreCategory", "isLearnt"])
     client.set_limit(100)
 
     mocked_post = mocker.patch("requests.post")
@@ -651,6 +655,7 @@ def test_fetch_incidents_private_api_type(mocker):
     client.set_security_score_category_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
     client.set_ip_reputation_level_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
     client.set_ip_abuse_velocity_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_optional_api_attributes(["isExternal", "isAuthenticated", "riskScore", "riskScoreCategory", "isLearnt"])
     client.set_limit(100)
 
     mocked_post = mocker.patch("requests.post")
@@ -1093,6 +1098,7 @@ def test_get_api_endpoint_details_query():
     from Traceable import Client, Helper
 
     client = Client("https://mock.url")
+    client.set_optional_api_attributes(["isExternal", "isAuthenticated", "riskScore", "riskScoreCategory", "isLearnt"])
     client.set_limit(100)
 
     query = client.get_api_endpoint_details_query(
@@ -1109,11 +1115,9 @@ def test_get_api_endpoint_details_query():
         + 'T09:07:59Z"\n      endTime: "2023-07-24T09:07:59Z"\n    }\n    offset: 0\n    filterBy: [{keyExpression: {ke'
         + 'y: "id"}, operator: IN, value: ["067bb0d7-3740-3ba6-89eb-c457491fbc53","ea0f77c0-adc2-3a69-89ea-93b1c8341d8f'
         + '","be344182-c100-3287-874a-cb47eac709f2"], type: ATTRIBUTE}]\n  ) {\n    results {\n      id\n      isExtern'
-        + 'al: attribute(expression: { key: "isExternal" })\n      isAuthenticated: attribute(expression: { key: "isAut'
-        + 'henticated" })\n      riskScore: attribute(expression: { key: "riskScore" })\n      riskScoreCategory: attri'
-        + 'bute(expression: { key: "riskScoreCategory" })\n      isLearnt: attribute(expression: { key: "isLearnt" })\n'
-        + '    }\n    total\n  }\n}'
-
+        + 'al: attribute(expression: { key: "isExternal" })\nisAuthenticated: attribute(expression: { key: "isAuthentic'
+        + 'ated" })\nriskScore: attribute(expression: { key: "riskScore" })\nriskScoreCategory: attribute(expression: {'
+        + ' key: "riskScoreCategory" })\nisLearnt: attribute(expression: { key: "isLearnt" })\n\n    }\n  }\n}'
     )
 
     assert query == expected_query
@@ -1318,3 +1322,57 @@ def test_construct_field_selection_expression():
         + '{key: "actorScore"}) { value }\nthreatCategory: selection(expression: {key: "threatCategory"}) { value ' \
         + '}\ntype: selection(expression: {key: "type"}) { value }\n'
     assert expression_string == expected_output
+
+
+def test_construct_api_attribute_selection():
+    from Traceable import Client, Helper
+    headers = {"Content-Type": "application/json", "Accept": "application/json"}
+    client = Client(base_url="https://mock.url", verify=False, headers=headers)
+    client.set_optional_api_attributes(["isExternal", "isExternal", "isAuthenticated", "nonexistent"])
+    expected_output = (
+        'query entities\n{\n  entities(\n    scope: "API"\n    limit: None\n    between: {\n      startTime: "2023-07-2'
+        + '3T09:07:59Z"\n      endTime: "2023-07-24T09:07:59Z"\n    }\n    offset: 0\n    filterBy: [{keyExpression: {k'
+        + 'ey: "id"}, operator: IN, value: ["067bb0d7-3740-3ba6-89eb-c457491fbc53","ea0f77c0-adc2-3a69-89ea-93b1c8341d8'
+        + 'f","be344182-c100-3287-874a-cb47eac709f2"], type: ATTRIBUTE}]\n  ) {\n    results {\n      id\n      isExter'
+        + 'nal: attribute(expression: { key: "isExternal" })\nisAuthenticated: attribute(expression: { key: "isAuthenti'
+        + 'cated" })\n\n    }\n  }\n}'
+    )
+
+    query = client.get_api_endpoint_details_query(
+        [
+            "067bb0d7-3740-3ba6-89eb-c457491fbc53",
+            "ea0f77c0-adc2-3a69-89ea-93b1c8341d8f",
+            "be344182-c100-3287-874a-cb47eac709f2",
+        ],
+        Helper.string_to_datetime("2023-07-23T09:07:59Z"),
+        Helper.string_to_datetime("2023-07-24T09:07:59Z")
+    )
+    assert query == expected_output
+
+
+def test_fetch_incidents_no_api_attributes_selection(mocker):
+    from Traceable import Client, fetch_incidents
+    import urllib3
+    import json
+
+    urllib3.disable_warnings()
+    headers = {}
+    headers["Content-Type"] = "application/json"
+    headers["Accept"] = "application/json"
+
+    client = Client(base_url="https://mock.url", verify=False, headers=headers)
+    client.set_security_score_category_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_ip_reputation_level_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_ip_abuse_velocity_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_limit(100)
+
+    mocked_post = mocker.patch("requests.post")
+    mocked_post.side_effect = private_api_type_response_handler
+
+    next_run, incidents = fetch_incidents(client, {"last_fetch": None}, "3 days")
+    assert len(incidents) == 1
+    rawJSON = json.loads(incidents[0]["rawJSON"])
+    assert "apiType" not in rawJSON
+    assert "apiIsAuthenticated" not in rawJSON
+    assert "apiRiskScore" not in rawJSON
+    assert "apiRiskScoreCategory" not in rawJSON

From 878def81bb6f00c5376546a7c4fcb1427ae27857 Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Mon, 21 Aug 2023 02:48:37 -0700
Subject: [PATCH 05/23] Updated Release Notes.

---
 Packs/Traceable/ReleaseNotes/1_0_3.md | 32 ++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/Packs/Traceable/ReleaseNotes/1_0_3.md b/Packs/Traceable/ReleaseNotes/1_0_3.md
index a4ac784b23d1..a28194f9fa03 100644
--- a/Packs/Traceable/ReleaseNotes/1_0_3.md
+++ b/Packs/Traceable/ReleaseNotes/1_0_3.md
@@ -3,6 +3,36 @@
 
 ##### Traceable
 
-- %%UPDATE_RN%%
+- Introduced new fields in the Incident to specify type of IP Address (**ipAddressType**) with values **Internal** or **External**
+- Introduced new fields in the Incident to specify type of API (**apiType**) with values **Internal** or **External**
+- Added new Incident field **eventUrl** containing the link to open the Incident Event in the Traceable Platform.
+- Ability to select the optional fields for the Incidents.
+  - actorDevice
+  - actorEntityId
+  - actorId
+  - actorScoreCategory
+  - actorSession
+  - anomalousAttribute
+  - apiName
+  - apiUri
+  - category
+  - ipAbuseVelocity
+  - ipReputationLevel
+  - securityEventType
+  - securityScore
+  - serviceId
+  - serviceName
+  - actorScore
+  - threatCategory
+  - type
+- Ability to pull optional attributes of the affected APIs of the reported incidents:
+  - isExternal
+  - isAuthenticated
+  - riskScore
+  - riskScoreCategory
+  - isLearnt
+- Incidents for the selected **HTTP Status Codes** can now be ignored and not created in XSOAR.
+- Added additional input configuration for the Integration to provide the base url of the Traceable Platform UI endpoint.
+- Added additional input configuration to configure the HTTP Status Codes for which the Incidents should be ignored.
 - Updated the Docker image to: *demisto/python3:3.10.12.68714*.
 

From 621cbf3e5bcba22062244b22e79fc4d97bbf0214 Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Mon, 21 Aug 2023 03:06:55 -0700
Subject: [PATCH 06/23] Removing unused Integration configurations.

---
 .../Integrations/Traceable/Traceable.yml         | 16 ----------------
 1 file changed, 16 deletions(-)

diff --git a/Packs/Traceable/Integrations/Traceable/Traceable.yml b/Packs/Traceable/Integrations/Traceable/Traceable.yml
index ac996a3d884f..3dca332fdbb3 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable.yml
+++ b/Packs/Traceable/Integrations/Traceable/Traceable.yml
@@ -99,22 +99,6 @@ configuration:
   - TOR Exit Node
   - BOT
   - Unknown
-- display: "IP Address Type"
-  defaultvalue: External
-  name: ipAddressType
-  required: false
-  type: 16
-  options:
-  - Internal
-  - External
-- display: "API Type"
-  name: apiType
-  required: false
-  defaultvalue: External
-  type: 16
-  options:
-  - Internal
-  - External
 - display: Traceable Platform Endpoint URL
   name: app_url
   defaultvalue: https://app.traceable.ai

From 78bc277ca7ad840d546dac18d17900d2d8779c74 Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Mon, 21 Aug 2023 03:39:54 -0700
Subject: [PATCH 07/23] Readme changes.

---
 Packs/Traceable/Integrations/Traceable/README.md     | 6 +++++-
 Packs/Traceable/Integrations/Traceable/Traceable.py  | 5 +++--
 Packs/Traceable/Integrations/Traceable/Traceable.yml | 5 +++--
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/Packs/Traceable/Integrations/Traceable/README.md b/Packs/Traceable/Integrations/Traceable/README.md
index f7745c42aee6..85fb3b734cb6 100644
--- a/Packs/Traceable/Integrations/Traceable/README.md
+++ b/Packs/Traceable/Integrations/Traceable/README.md
@@ -8,7 +8,7 @@ With this integration, an Incident can be raised in Cortex Xsoar when an Event i
 To use the integration the following mandatory parameters need to be set:
 |Parameter Name|Default Value|Description|
 |------|------|------|
-|Traceable Platform URL|https://api.traceable.ai|URL of Traceable Platform API Endpoint.|
+|Traceable Platform API Endpoint URL|https://api.traceable.ai|Base URL of Traceable Platform API Endpoint.|
 |API Token|-|API Token. Used for Authenticating against the Traceable Platform|
 |Trust any certificate (not secure)|false|Trust any SSL certificate while connecting to Platform API Endpoint|
 |Use system proxy settings|false|Use the system proxy setup using the environment variables `http_proxy`/`https_proxy`|
@@ -29,6 +29,10 @@ The following parameters can be used to customize what Events should be exported
 |IP Reputation Level|Multi Select|No|CRITICAL, HIGH, MEDIUM|IP Reputations to query|
 |IP Abuse Velocity|Multi Select|No|CRITICAL, HIGH, MEDIUM|IP Abuse Velocity to query|
 |IP Location Type|Multi Select|No|-|IP Location Type to query|
+|Traceable Platform Endpoint URL|Long Text|No|https://app.traceable.ai|Base URL of the Traceable Platform UI Endpoint|
+|Ignore Status Codes|Long Text|No|400-499|Ignore Incidents for HTTP Requests failing with these Status Codes|
+|Incident optional field list|Multi Select|No|actorDevice,actorEntityId,actorId,actorScoreCategory,actorSession,anomalousAttribute,apiName,apiUri,category,ipAbuseVelocity,ipReputationLevel,securityEventType,securityScore,serviceId,serviceName,actorScore,threatCategory,type|Optional fields to pull from Traceable Event|
+|Additional API Attributes|Multi Select|No|isExternal,isAuthenticated,riskScore,riskScoreCategory,isLearnt|Additional API Attributes to query for the affected API in the Incident|
 
 ## Incident Types
 The integration generates _Exploit_ type of Inidents.
diff --git a/Packs/Traceable/Integrations/Traceable/Traceable.py b/Packs/Traceable/Integrations/Traceable/Traceable.py
index 23791d88088e..5325b4aa24b0 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable.py
@@ -271,7 +271,8 @@ def set_security_score_category_list(self, securityScoreCategoryList):
         self.securityScoreCategoryList = securityScoreCategoryList
 
     def set_app_url(self, app_url):
-        self.app_url = app_url
+        if app_url is not None and app_url != "":
+            self.app_url = app_url
 
     def set_threat_category_list(self, threatCategoryList):
         self.threatCategoryList = threatCategoryList
@@ -915,7 +916,7 @@ def main() -> None:
         ipAbuseVelocityList = demisto.params().get("ipAbuseVelocity")
         limit = int(demisto.params().get("max_fetch", 100))
         span_fetch_threadpool = int(demisto.params().get("span_fetch_threadpool", 10))
-        app_url = demisto.params().get("app_url", "https://app.traceable.ai")
+        app_url = demisto.params().get("app_url")
         ipCategoriesList = demisto.params().get("ipCategories")
         ignoreStatusCodes = demisto.params().get("ignoreStatusCodes", "")
         optionalDomainEventFieldList = demisto.params().get("optionalDomainEventFieldList")
diff --git a/Packs/Traceable/Integrations/Traceable/Traceable.yml b/Packs/Traceable/Integrations/Traceable/Traceable.yml
index 3dca332fdbb3..fa97839abfd0 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable.yml
+++ b/Packs/Traceable/Integrations/Traceable/Traceable.yml
@@ -26,6 +26,7 @@ configuration:
   required: false
 - display: Fetch incidents
   name: isFetch
+  defaultvalue: 'true'
   type: 8
   required: false
 - display: First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
@@ -114,7 +115,7 @@ configuration:
   defaultvalue: 400-499
   type: 0
   required: false
-- display: Incident pull optional field list
+- display: Incident optional field list
   name: optionalDomainEventFieldList
   defaultvalue: actorDevice,actorEntityId,actorId,actorScoreCategory,actorSession,anomalousAttribute,apiName,apiUri,category,ipAbuseVelocity,ipReputationLevel,securityEventType,securityScore,serviceId,serviceName,actorScore,threatCategory,type
   options:
@@ -138,7 +139,7 @@ configuration:
   - type
   type: 16
   required: false
-- display: Pull Additional API Attributes
+- display: Additional API Attributes
   name: optionalAPIAttributes
   defaultvalue: isExternal,isAuthenticated,riskScore,riskScoreCategory,isLearnt
   options:

From 11dc7878b3cf1a272b9a07e7807ea26a41af118d Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Mon, 21 Aug 2023 03:53:34 -0700
Subject: [PATCH 08/23] Logs causing failed Test

---
 Packs/Traceable/Integrations/Traceable/Traceable.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Packs/Traceable/Integrations/Traceable/Traceable.py b/Packs/Traceable/Integrations/Traceable/Traceable.py
index 5325b4aa24b0..c0e1f3b89309 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable.py
@@ -360,8 +360,8 @@ def set_ignore_status_codes(self, status_code_list_string):
         self.ignore_status_code_tuples = self.__parse_status_code_strings(status_code_list_string)
 
     def __process_domain_event_field_list(self, field_list: list):
-        demisto.log(f"List of allowed optional fields: {self.__allowed_optional_domain_event_field_list}")
-        demisto.log(f"Processing Option Field list: {field_list}")
+        demisto.debug(f"List of allowed optional fields: {self.__allowed_optional_domain_event_field_list}")
+        demisto.debug(f"Processing Option Field list: {field_list}")
         final_list = []
         final_list.extend(self.__mandatory_domain_event_field_list)
 
@@ -369,14 +369,14 @@ def __process_domain_event_field_list(self, field_list: list):
             for field in field_list:
                 if field in self.__allowed_optional_domain_event_field_list and field not in final_list:
                     final_list.append(field)
-                    demisto.log(f"Adding {field} to list of Incident fields to query.")
+                    demisto.debug(f"Adding {field} to list of Incident fields to query.")
                 else:
                     demisto.log(f"Ignoring {field} as it is not allowed.")
         return final_list
 
     def get_domain_event_query_fields(self):
         if len(self.domain_event_field_list) == 0:
-            demisto.log(
+            demisto.debug(
                 "Optional incident field list was not provided. Initializing with minimum required fields:"
                 + f" {self.__mandatory_domain_event_field_list}")
             self.set_domain_event_field_list(None)

From 8253a73b67484c545a51f245b9204eeb01bb34b5 Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Mon, 21 Aug 2023 05:10:03 -0700
Subject: [PATCH 09/23] - Fixed timestamps to include milliseconds. Else it
 misses capturing some spans.

---
 .../Integrations/Traceable/Traceable.py       | 43 +++++++++++++------
 .../Integrations/Traceable/Traceable_test.py  | 12 ++++++
 2 files changed, 42 insertions(+), 13 deletions(-)

diff --git a/Packs/Traceable/Integrations/Traceable/Traceable.py b/Packs/Traceable/Integrations/Traceable/Traceable.py
index c0e1f3b89309..cf09f8db83fb 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable.py
@@ -129,6 +129,14 @@ def construct_filterby_expression(*clauses):
         non_null_list = [i for i in clauses if i is not None]
         return "filterBy: [" + ",".join(non_null_list) + "]"
 
+    @staticmethod
+    def fix_start_timestamp(string_timestamp):
+        return f"{string_timestamp[:-1]}.000Z"
+
+    @staticmethod
+    def fix_end_timestamp(string_timestamp):
+        return f"{string_timestamp[:-1]}.999Z"
+
     @staticmethod
     def construct_field_selection_expression(field_list):
         non_null_field_list = [i for i in field_list if i is not None and i != ""]
@@ -151,6 +159,14 @@ def construct_field_attribute_expression(field_list):
     def datetime_to_string(d):
         return d.strftime(DATE_FORMAT)
 
+    @staticmethod
+    def start_datetime_to_string(d):
+        return Helper.fix_start_timestamp(Helper.datetime_to_string(d))
+
+    @staticmethod
+    def end_datetime_to_string(d):
+        return Helper.fix_end_timestamp(Helper.datetime_to_string(d))
+
     @staticmethod
     def string_to_datetime(s):
         return datetime.strptime(s, DATE_FORMAT)
@@ -452,8 +468,8 @@ def get_span_for_trace_id(self, starttime, endtime, traceid=None, spanid=None):
             trace_id_clause, span_id_clause
         )
         query = Template(get_spans_for_trace_id).substitute(
-            starttime=Helper.datetime_to_string(starttime),
-            endtime=Helper.datetime_to_string(endtime),
+            starttime=Helper.start_datetime_to_string(starttime),
+            endtime=Helper.end_datetime_to_string(endtime),
             limit=self.limit,
             filter_by_clause=filter_by_clause,
         )
@@ -520,8 +536,8 @@ def get_threat_events_query(
         demisto.info("Limit set to: " + str(self.limit))
         query = Template(get_threat_events_query).substitute(
             limit=self.limit,
-            starttime=Helper.datetime_to_string(starttime),
-            endtime=Helper.datetime_to_string(endtime),
+            starttime=Helper.start_datetime_to_string(starttime),
+            endtime=Helper.end_datetime_to_string(endtime),
             filter_by_clause=filter_by_clause,
             field_list=self.get_domain_event_query_fields()
         )
@@ -536,8 +552,8 @@ def get_api_endpoint_details_query(self, api_id_list, starttime, endtime):
             filter_by_clause=filter_by_clause,
             fields_list=fields_list,
             limit=self.limit,
-            starttime=Helper.datetime_to_string(starttime),
-            endtime=Helper.datetime_to_string(endtime),
+            starttime=Helper.start_datetime_to_string(starttime),
+            endtime=Helper.end_datetime_to_string(endtime),
         )
 
     def get_api_endpoint_details(self, api_id_list, starttime, endtime):
@@ -806,13 +822,14 @@ def get_threat_events(
             else:
                 demisto.info(f"Found Span with id: {span_id}. Adding to Event.")
                 domain_event["spans"] = trace_results["data"]["spans"]["results"]
-                events.append(domain_event)
-                if first:
-                    first = False
-                    demisto.info(f"Domain Event: {json.dumps(domain_event, indent=3)}")
-                demisto.debug(
-                    f"Complete Domain Event is: {json.dumps(domain_event, indent=2)}"
-                )
+
+            events.append(domain_event)
+            if first:
+                first = False
+                demisto.info(f"Domain Event: {json.dumps(domain_event, indent=3)}")
+            demisto.debug(
+                f"Complete Domain Event is: {json.dumps(domain_event, indent=2)}"
+            )
 
         return events
 
diff --git a/Packs/Traceable/Integrations/Traceable/Traceable_test.py b/Packs/Traceable/Integrations/Traceable/Traceable_test.py
index 1521707e031f..5b15ef4b3f84 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable_test.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable_test.py
@@ -1376,3 +1376,15 @@ def test_fetch_incidents_no_api_attributes_selection(mocker):
     assert "apiIsAuthenticated" not in rawJSON
     assert "apiRiskScore" not in rawJSON
     assert "apiRiskScoreCategory" not in rawJSON
+
+
+def test_fixing_timestamp():
+    from datetime import datetime
+    from Traceable import Helper
+    now_time = datetime.now()
+    now_time_str1 = Helper.datetime_to_string(now_time)
+    now_time_str2 = Helper.start_datetime_to_string(now_time)
+    assert now_time_str2 == (now_time_str1[:-1] + ".000Z")
+
+    now_time_str3 = Helper.end_datetime_to_string(now_time)
+    assert now_time_str3 == (now_time_str1[:-1] + ".999Z")

From 36a6861d377ac10366fe2063fb130c24ababee92 Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Mon, 21 Aug 2023 06:04:25 -0700
Subject: [PATCH 10/23] Fixing datetime strings and unit tests.

---
 .../Integrations/Traceable/Traceable.py       |  12 +-
 .../Integrations/Traceable/Traceable_test.py  | 131 +++++++++---------
 2 files changed, 73 insertions(+), 70 deletions(-)

diff --git a/Packs/Traceable/Integrations/Traceable/Traceable.py b/Packs/Traceable/Integrations/Traceable/Traceable.py
index cf09f8db83fb..9379a7347a62 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable.py
@@ -130,11 +130,11 @@ def construct_filterby_expression(*clauses):
         return "filterBy: [" + ",".join(non_null_list) + "]"
 
     @staticmethod
-    def fix_start_timestamp(string_timestamp):
+    def fix_start_timestamp(string_timestamp: str):
         return f"{string_timestamp[:-1]}.000Z"
 
     @staticmethod
-    def fix_end_timestamp(string_timestamp):
+    def fix_end_timestamp(string_timestamp: str):
         return f"{string_timestamp[:-1]}.999Z"
 
     @staticmethod
@@ -156,15 +156,15 @@ def construct_field_attribute_expression(field_list):
         return expression_list
 
     @staticmethod
-    def datetime_to_string(d):
+    def datetime_to_string(d: datetime):
         return d.strftime(DATE_FORMAT)
 
     @staticmethod
-    def start_datetime_to_string(d):
+    def start_datetime_to_string(d: datetime):
         return Helper.fix_start_timestamp(Helper.datetime_to_string(d))
 
     @staticmethod
-    def end_datetime_to_string(d):
+    def end_datetime_to_string(d: datetime):
         return Helper.fix_end_timestamp(Helper.datetime_to_string(d))
 
     @staticmethod
@@ -261,7 +261,7 @@ def __init__(
         self.ipReputationLevelList = None
         self.ipAbuseVelocityList = None
         self.ipCategoriesList = None
-        self.limit = None
+        self.limit = 100
         self.proxy = proxy
         self.span_fetch_threadpool = 10
         self.app_url = ""
diff --git a/Packs/Traceable/Integrations/Traceable/Traceable_test.py b/Packs/Traceable/Integrations/Traceable/Traceable_test.py
index 5b15ef4b3f84..ac7ca9c08ef5 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable_test.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable_test.py
@@ -924,36 +924,35 @@ def test_get_threat_events_query(capfd):
     import urllib3
 
     output_query = (
-        '{\n  explore(\n    scope: "DOMAIN_EVENT"\n    limit: 100\n    between: {\n      startTime: "2023-06-20T15:34'
-        + ':56Z"\n      endTime: "2023-06-26T15:34:53Z"\n    }\n    offset: 0\n    filterBy: [{keyExpression: {key'
-        + ': "securityScoreCategory"}, operator: IN, value: ["CRITICAL","HIGH","MEDIUM","LOW"], type: ATTRIBUTE},{'
-        + 'keyExpression: {key: "ipReputationLevel"}, operator: IN, value: ["CRITICAL","HIGH","MEDIUM","LOW","UNKN'
-        + 'OWN"], type: ATTRIBUTE},{keyExpression: {key: "ipCategories"}, operator: IN, value: ["IP_LOCATION_TYPE_'
-        + 'UNSPECIFIED","IP_LOCATION_TYPE_ANONYMOUS_VPN","IP_LOCATION_TYPE_HOSTING_PROVIDER","IP_LOCATION_TYPE_PUB'
-        + 'LIC_PROXY","IP_LOCATION_TYPE_TOR_EXIT_NODE","IP_LOCATION_TYPE_BOT"], type: ATTRIBUTE},{keyExpression: {'
-        + 'key: "ipAbuseVelocity"}, operator: IN, value: ["CRITICAL","HIGH","MEDIUM","LOW","IP_ABUSE_VELOCITY_UNSP'
-        + 'ECIFIED"], type: ATTRIBUTE}]\n    orderBy: [\n      { keyExpression: { key: "timestamp" } }\n    ]\n  )'
-        + ' {\n    results {\n        actorCountry: selection(expression: {key: "actorCountry"}) { value }\nactorI'
-        + 'pAddress: selection(expression: {key: "actorIpAddress"}) { value }\napiId: selection(expression: {key: '
-        + '"apiId"}) { value }\nenvironment: selection(expression: {key: "environment"}) { value }\neventDescripti'
-        + 'on: selection(expression: {key: "eventDescription"}) { value }\nid: selection(expression: {key: "id"}) '
-        + '{ value }\nipCategories: selection(expression: {key: "ipCategories"}) { value }\nname: selection(expres'
-        + 'sion: {key: "name"}) { value }\nsecurityScoreCategory: selection(expression: {key: "securityScoreCatego'
-        + 'ry"}) { value }\nspanId: selection(expression: {key: "spanId"}) { value }\nstatusCode: selection(expres'
-        + 'sion: {key: "statusCode"}) { value }\ntimestamp: selection(expression: {key: "timestamp"}) { value }\nt'
-        + 'raceId: selection(expression: {key: "traceId"}) { value }\nactorDevice: selection(expression: {key: "ac'
-        + 'torDevice"}) { value }\nactorEntityId: selection(expression: {key: "actorEntityId"}) { value }\nactorId'
-        + ': selection(expression: {key: "actorId"}) { value }\nactorScoreCategory: selection(expression: {key: "a'
-        + 'ctorScoreCategory"}) { value }\nactorSession: selection(expression: {key: "actorSession"}) { value }\na'
-        + 'nomalousAttribute: selection(expression: {key: "anomalousAttribute"}) { value }\napiName: selection(exp'
-        + 'ression: {key: "apiName"}) { value }\napiUri: selection(expression: {key: "apiUri"}) { value }\ncategor'
-        + 'y: selection(expression: {key: "category"}) { value }\nipAbuseVelocity: selection(expression: {key: "ip'
-        + 'AbuseVelocity"}) { value }\nipReputationLevel: selection(expression: {key: "ipReputationLevel"}) { valu'
-        + 'e }\nsecurityEventType: selection(expression: {key: "securityEventType"}) { value }\nsecurityScore: sel'
-        + 'ection(expression: {key: "securityScore"}) { value }\nserviceId: selection(expression: {key: "serviceId'
-        + '"}) { value }\nserviceName: selection(expression: {key: "serviceName"}) { value }\nactorScore: selectio'
-        + 'n(expression: {key: "actorScore"}) { value }\nthreatCategory: selection(expression: {key: "threatCatego'
-        + 'ry"}) { value }\ntype: selection(expression: {key: "type"}) { value }\n\n    }\n  }\n}\n'
+        '{\n  explore(\n    scope: "DOMAIN_EVENT"\n    limit: 100\n    between: {\n      startTime: "2023-06-20T15:34:5'
+        + '6.000Z"\n      endTime: "2023-06-26T15:34:53.999Z"\n    }\n    offset: 0\n    filterBy: [{keyExpression: {ke'
+        + 'y: "securityScoreCategory"}, operator: IN, value: ["CRITICAL","HIGH","MEDIUM","LOW"], type: ATTRIBUTE},{keyE'
+        + 'xpression: {key: "ipReputationLevel"}, operator: IN, value: ["CRITICAL","HIGH","MEDIUM","LOW","UNKNOWN"], ty'
+        + 'pe: ATTRIBUTE},{keyExpression: {key: "ipCategories"}, operator: IN, value: ["IP_LOCATION_TYPE_UNSPECIFIED","'
+        + 'IP_LOCATION_TYPE_ANONYMOUS_VPN","IP_LOCATION_TYPE_HOSTING_PROVIDER","IP_LOCATION_TYPE_PUBLIC_PROXY","IP_LOCA'
+        + 'TION_TYPE_TOR_EXIT_NODE","IP_LOCATION_TYPE_BOT"], type: ATTRIBUTE},{keyExpression: {key: "ipAbuseVelocity"},'
+        + ' operator: IN, value: ["CRITICAL","HIGH","MEDIUM","LOW","IP_ABUSE_VELOCITY_UNSPECIFIED"], type: ATTRIBUTE}]'
+        + '\n    orderBy: [\n      { keyExpression: { key: "timestamp" } }\n    ]\n  ) {\n    results {\n        actorC'
+        + 'ountry: selection(expression: {key: "actorCountry"}) { value }\nactorIpAddress: selection(expression: {key: '
+        + '"actorIpAddress"}) { value }\napiId: selection(expression: {key: "apiId"}) { value }\nenvironment: selection'
+        + '(expression: {key: "environment"}) { value }\neventDescription: selection(expression: {key: "eventDescriptio'
+        + 'n"}) { value }\nid: selection(expression: {key: "id"}) { value }\nipCategories: selection(expression: {key: '
+        + '"ipCategories"}) { value }\nname: selection(expression: {key: "name"}) { value }\nsecurityScoreCategory: sel'
+        + 'ection(expression: {key: "securityScoreCategory"}) { value }\nspanId: selection(expression: {key: "spanId"})'
+        + ' { value }\nstatusCode: selection(expression: {key: "statusCode"}) { value }\ntimestamp: selection(expressio'
+        + 'n: {key: "timestamp"}) { value }\ntraceId: selection(expression: {key: "traceId"}) { value }\nactorDevice: s'
+        + 'election(expression: {key: "actorDevice"}) { value }\nactorEntityId: selection(expression: {key: "actorEntit'
+        + 'yId"}) { value }\nactorId: selection(expression: {key: "actorId"}) { value }\nactorScoreCategory: selection('
+        + 'expression: {key: "actorScoreCategory"}) { value }\nactorSession: selection(expression: {key: "actorSession"'
+        + '}) { value }\nanomalousAttribute: selection(expression: {key: "anomalousAttribute"}) { value }\napiName: sel'
+        + 'ection(expression: {key: "apiName"}) { value }\napiUri: selection(expression: {key: "apiUri"}) { value }\nca'
+        + 'tegory: selection(expression: {key: "category"}) { value }\nipAbuseVelocity: selection(expression: {key: "ip'
+        + 'AbuseVelocity"}) { value }\nipReputationLevel: selection(expression: {key: "ipReputationLevel"}) { value }\n'
+        + 'securityEventType: selection(expression: {key: "securityEventType"}) { value }\nsecurityScore: selection(exp'
+        + 'ression: {key: "securityScore"}) { value }\nserviceId: selection(expression: {key: "serviceId"}) { value }\n'
+        + 'serviceName: selection(expression: {key: "serviceName"}) { value }\nactorScore: selection(expression: {key: '
+        + '"actorScore"}) { value }\nthreatCategory: selection(expression: {key: "threatCategory"}) { value }\ntype: se'
+        + 'lection(expression: {key: "type"}) { value }\n\n    }\n  }\n}\n'
     )
 
     starttime = datetime.strptime("2023-06-20T15:34:56Z", DATE_FORMAT)
@@ -998,22 +997,23 @@ def test_get_threat_events_query_no_optional_fields(capfd):
 
     output_query = (
         '{\n  explore(\n    scope: "DOMAIN_EVENT"\n    limit: 100\n    between: {\n      startTime: "2023-06-20T15:34:5'
-        + '6Z"\n      endTime: "2023-06-26T15:34:53Z"\n    }\n    offset: 0\n    filterBy: [{keyExpression: {key: "secu'
-        + 'rityScoreCategory"}, operator: IN, value: ["CRITICAL","HIGH","MEDIUM","LOW"], type: ATTRIBUTE},{keyExpressio'
-        + 'n: {key: "ipReputationLevel"}, operator: IN, value: ["CRITICAL","HIGH","MEDIUM","LOW","UNKNOWN"], type: ATTR'
-        + 'IBUTE},{keyExpression: {key: "ipCategories"}, operator: IN, value: ["IP_LOCATION_TYPE_UNSPECIFIED","IP_LOCAT'
-        + 'ION_TYPE_ANONYMOUS_VPN","IP_LOCATION_TYPE_HOSTING_PROVIDER","IP_LOCATION_TYPE_PUBLIC_PROXY","IP_LOCATION_TYP'
-        + 'E_TOR_EXIT_NODE","IP_LOCATION_TYPE_BOT"], type: ATTRIBUTE},{keyExpression: {key: "ipAbuseVelocity"}, operato'
-        + 'r: IN, value: ["CRITICAL","HIGH","MEDIUM","LOW","IP_ABUSE_VELOCITY_UNSPECIFIED"], type: ATTRIBUTE}]\n    ord'
-        + 'erBy: [\n      { keyExpression: { key: "timestamp" } }\n    ]\n  ) {\n    results {\n        actorCountry: s'
-        + 'election(expression: {key: "actorCountry"}) { value }\nactorIpAddress: selection(expression: {key: "actorIpA'
-        + 'ddress"}) { value }\napiId: selection(expression: {key: "apiId"}) { value }\nenvironment: selection(expressi'
-        + 'on: {key: "environment"}) { value }\neventDescription: selection(expression: {key: "eventDescription"}) { va'
-        + 'lue }\nid: selection(expression: {key: "id"}) { value }\nipCategories: selection(expression: {key: "ipCatego'
-        + 'ries"}) { value }\nname: selection(expression: {key: "name"}) { value }\nsecurityScoreCategory: selection(ex'
-        + 'pression: {key: "securityScoreCategory"}) { value }\nspanId: selection(expression: {key: "spanId"}) { value '
-        + '}\nstatusCode: selection(expression: {key: "statusCode"}) { value }\ntimestamp: selection(expression: {key: '
-        + '"timestamp"}) { value }\ntraceId: selection(expression: {key: "traceId"}) { value }\n\n    }\n  }\n}\n'
+        + '6.000Z"\n      endTime: "2023-06-26T15:34:53.999Z"\n    }\n    offset: 0\n    filterBy: [{keyExpression: {ke'
+        + 'y: "securityScoreCategory"}, operator: IN, value: ["CRITICAL","HIGH","MEDIUM","LOW"], type: ATTRIBUTE},{keyE'
+        + 'xpression: {key: "ipReputationLevel"}, operator: IN, value: ["CRITICAL","HIGH","MEDIUM","LOW","UNKNOWN"], ty'
+        + 'pe: ATTRIBUTE},{keyExpression: {key: "ipCategories"}, operator: IN, value: ["IP_LOCATION_TYPE_UNSPECIFIED","'
+        + 'IP_LOCATION_TYPE_ANONYMOUS_VPN","IP_LOCATION_TYPE_HOSTING_PROVIDER","IP_LOCATION_TYPE_PUBLIC_PROXY","IP_LOCA'
+        + 'TION_TYPE_TOR_EXIT_NODE","IP_LOCATION_TYPE_BOT"], type: ATTRIBUTE},{keyExpression: {key: "ipAbuseVelocity"},'
+        + ' operator: IN, value: ["CRITICAL","HIGH","MEDIUM","LOW","IP_ABUSE_VELOCITY_UNSPECIFIED"], type: ATTRIBUTE}]'
+        + '\n    orderBy: [\n      { keyExpression: { key: "timestamp" } }\n    ]\n  ) {\n    results {\n        actorC'
+        + 'ountry: selection(expression: {key: "actorCountry"}) { value }\nactorIpAddress: selection(expression: {key: '
+        + '"actorIpAddress"}) { value }\napiId: selection(expression: {key: "apiId"}) { value }\nenvironment: selection'
+        + '(expression: {key: "environment"}) { value }\neventDescription: selection(expression: {key: "eventDescriptio'
+        + 'n"}) { value }\nid: selection(expression: {key: "id"}) { value }\nipCategories: selection(expression: {key: '
+        + '"ipCategories"}) { value }\nname: selection(expression: {key: "name"}) { value }\nsecurityScoreCategory: sel'
+        + 'ection(expression: {key: "securityScoreCategory"}) { value }\nspanId: selection(expression: {key: "spanId"})'
+        + ' { value }\nstatusCode: selection(expression: {key: "statusCode"}) { value }\ntimestamp: selection(expressio'
+        + 'n: {key: "timestamp"}) { value }\ntraceId: selection(expression: {key: "traceId"}) { value }\n\n    }\n  }\n'
+        + '}\n'
     )
 
     starttime = datetime.strptime("2023-06-20T15:34:56Z", DATE_FORMAT)
@@ -1096,28 +1096,29 @@ def test_graphql_query_non_200(mocker, caplog, capfd):
 
 def test_get_api_endpoint_details_query():
     from Traceable import Client, Helper
-
+    from datetime import datetime
     client = Client("https://mock.url")
     client.set_optional_api_attributes(["isExternal", "isAuthenticated", "riskScore", "riskScoreCategory", "isLearnt"])
     client.set_limit(100)
 
+    ts = Helper.string_to_datetime("2023-08-21T12:41:27Z")
     query = client.get_api_endpoint_details_query(
         [
             "067bb0d7-3740-3ba6-89eb-c457491fbc53",
             "ea0f77c0-adc2-3a69-89ea-93b1c8341d8f",
             "be344182-c100-3287-874a-cb47eac709f2",
         ],
-        Helper.string_to_datetime("2023-07-23T09:07:59Z"),
-        Helper.string_to_datetime("2023-07-24T09:07:59Z"),
+        ts,
+        ts
     )
     expected_query = (
-        'query entities\n{\n  entities(\n    scope: "API"\n    limit: 100\n    between: {\n      startTime: "2023-07-23'
-        + 'T09:07:59Z"\n      endTime: "2023-07-24T09:07:59Z"\n    }\n    offset: 0\n    filterBy: [{keyExpression: {ke'
-        + 'y: "id"}, operator: IN, value: ["067bb0d7-3740-3ba6-89eb-c457491fbc53","ea0f77c0-adc2-3a69-89ea-93b1c8341d8f'
-        + '","be344182-c100-3287-874a-cb47eac709f2"], type: ATTRIBUTE}]\n  ) {\n    results {\n      id\n      isExtern'
-        + 'al: attribute(expression: { key: "isExternal" })\nisAuthenticated: attribute(expression: { key: "isAuthentic'
-        + 'ated" })\nriskScore: attribute(expression: { key: "riskScore" })\nriskScoreCategory: attribute(expression: {'
-        + ' key: "riskScoreCategory" })\nisLearnt: attribute(expression: { key: "isLearnt" })\n\n    }\n  }\n}'
+        'query entities\n{\n  entities(\n    scope: "API"\n    limit: 100\n    between: {\n      startTime: "2023-08-21'
+        + 'T12:41:27.000Z"\n      endTime: "2023-08-21T12:41:27.999Z"\n    }\n    offset: 0\n    filterBy: [{keyExpress'
+        + 'ion: {key: "id"}, operator: IN, value: ["067bb0d7-3740-3ba6-89eb-c457491fbc53","ea0f77c0-adc2-3a69-89ea-93b1'
+        + 'c8341d8f","be344182-c100-3287-874a-cb47eac709f2"], type: ATTRIBUTE}]\n  ) {\n    results {\n      id\n      '
+        + 'isExternal: attribute(expression: { key: "isExternal" })\nisAuthenticated: attribute(expression: { key: "isA'
+        + 'uthenticated" })\nriskScore: attribute(expression: { key: "riskScore" })\nriskScoreCategory: attribute(expre'
+        + 'ssion: { key: "riskScoreCategory" })\nisLearnt: attribute(expression: { key: "isLearnt" })\n\n    }\n  }\n}'
     )
 
     assert query == expected_query
@@ -1326,26 +1327,28 @@ def test_construct_field_selection_expression():
 
 def test_construct_api_attribute_selection():
     from Traceable import Client, Helper
+    from datetime import datetime
     headers = {"Content-Type": "application/json", "Accept": "application/json"}
     client = Client(base_url="https://mock.url", verify=False, headers=headers)
     client.set_optional_api_attributes(["isExternal", "isExternal", "isAuthenticated", "nonexistent"])
     expected_output = (
-        'query entities\n{\n  entities(\n    scope: "API"\n    limit: None\n    between: {\n      startTime: "2023-07-2'
-        + '3T09:07:59Z"\n      endTime: "2023-07-24T09:07:59Z"\n    }\n    offset: 0\n    filterBy: [{keyExpression: {k'
-        + 'ey: "id"}, operator: IN, value: ["067bb0d7-3740-3ba6-89eb-c457491fbc53","ea0f77c0-adc2-3a69-89ea-93b1c8341d8'
-        + 'f","be344182-c100-3287-874a-cb47eac709f2"], type: ATTRIBUTE}]\n  ) {\n    results {\n      id\n      isExter'
-        + 'nal: attribute(expression: { key: "isExternal" })\nisAuthenticated: attribute(expression: { key: "isAuthenti'
-        + 'cated" })\n\n    }\n  }\n}'
+        'query entities\n{\n  entities(\n    scope: "API"\n    limit: 100\n    between: {\n      startTime: "2023-08-21'
+        + 'T12:41:27.000Z"\n      endTime: "2023-08-21T12:41:27.999Z"\n    }\n    offset: 0\n    filterBy: [{keyExpress'
+        + 'ion: {key: "id"}, operator: IN, value: ["067bb0d7-3740-3ba6-89eb-c457491fbc53","ea0f77c0-adc2-3a69-89ea-93b1'
+        + 'c8341d8f","be344182-c100-3287-874a-cb47eac709f2"], type: ATTRIBUTE}]\n  ) {\n    results {\n      id\n      '
+        + 'isExternal: attribute(expression: { key: "isExternal" })\nisAuthenticated: attribute(expression: { key: "isA'
+        + 'uthenticated" })\n\n    }\n  }\n}'
     )
 
+    ts = Helper.string_to_datetime("2023-08-21T12:41:27Z")
     query = client.get_api_endpoint_details_query(
         [
             "067bb0d7-3740-3ba6-89eb-c457491fbc53",
             "ea0f77c0-adc2-3a69-89ea-93b1c8341d8f",
             "be344182-c100-3287-874a-cb47eac709f2",
         ],
-        Helper.string_to_datetime("2023-07-23T09:07:59Z"),
-        Helper.string_to_datetime("2023-07-24T09:07:59Z")
+        ts,
+        ts
     )
     assert query == expected_output
 

From 262e31de7412280205b81c1fe286df0f53a733fb Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Mon, 21 Aug 2023 06:05:18 -0700
Subject: [PATCH 11/23] removing unused imports

---
 Packs/Traceable/Integrations/Traceable/Traceable_test.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/Packs/Traceable/Integrations/Traceable/Traceable_test.py b/Packs/Traceable/Integrations/Traceable/Traceable_test.py
index ac7ca9c08ef5..2417fafd52dd 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable_test.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable_test.py
@@ -1096,7 +1096,6 @@ def test_graphql_query_non_200(mocker, caplog, capfd):
 
 def test_get_api_endpoint_details_query():
     from Traceable import Client, Helper
-    from datetime import datetime
     client = Client("https://mock.url")
     client.set_optional_api_attributes(["isExternal", "isAuthenticated", "riskScore", "riskScoreCategory", "isLearnt"])
     client.set_limit(100)
@@ -1327,7 +1326,6 @@ def test_construct_field_selection_expression():
 
 def test_construct_api_attribute_selection():
     from Traceable import Client, Helper
-    from datetime import datetime
     headers = {"Content-Type": "application/json", "Accept": "application/json"}
     client = Client(base_url="https://mock.url", verify=False, headers=headers)
     client.set_optional_api_attributes(["isExternal", "isExternal", "isAuthenticated", "nonexistent"])

From 8c26841da3162f0353c1ceb68068a1368e78ce29 Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Mon, 21 Aug 2023 06:27:02 -0700
Subject: [PATCH 12/23] Making logs less noisy.

---
 Packs/Traceable/Integrations/Traceable/Traceable.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Packs/Traceable/Integrations/Traceable/Traceable.py b/Packs/Traceable/Integrations/Traceable/Traceable.py
index 9379a7347a62..26bc4ce7e810 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable.py
@@ -473,7 +473,7 @@ def get_span_for_trace_id(self, starttime, endtime, traceid=None, spanid=None):
             limit=self.limit,
             filter_by_clause=filter_by_clause,
         )
-        demisto.info("Query is: " + query)
+        demisto.debug("Query is: " + query)
         return self.graphql_query(query)
 
     def get_threat_events_query(

From e108459711e5f046f657900e35ce5b6481799e74 Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Mon, 21 Aug 2023 17:34:03 -0700
Subject: [PATCH 13/23] Logging changes.

---
 Packs/Traceable/Integrations/Traceable/Traceable.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Packs/Traceable/Integrations/Traceable/Traceable.py b/Packs/Traceable/Integrations/Traceable/Traceable.py
index 26bc4ce7e810..27f762bd4ad9 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable.py
@@ -820,8 +820,8 @@ def get_threat_events(
                 msg = f"Error Object: {json.dumps(result)}. Couldn't get the Span."
                 demisto.info(msg)
             else:
-                demisto.info(f"Found Span with id: {span_id}. Adding to Event.")
-                domain_event["spans"] = trace_results["data"]["spans"]["results"]
+                demisto.debug(f"Found Span with id: {span_id}. Adding to Event with id {domain_event['id']['value']}.")
+                domain_event["spans"] = trace_results["data"]["spans"]["results"][0]
 
             events.append(domain_event)
             if first:

From 90d76b2ef2c8598431bd2cbdbbe5404ab742f0dd Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Mon, 21 Aug 2023 18:04:26 -0700
Subject: [PATCH 14/23] Safe value checking.

---
 Packs/Traceable/Integrations/Traceable/Traceable.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/Packs/Traceable/Integrations/Traceable/Traceable.py b/Packs/Traceable/Integrations/Traceable/Traceable.py
index 27f762bd4ad9..d0e63b2338c2 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable.py
@@ -675,11 +675,11 @@ def get_threat_events(
                     "value"
                 ]
             if (
-                domain_event["ipCategories"] is not None
-                and domain_event["ipCategories"]["value"] is not None
-                and len(domain_event["ipCategories"]["value"]) > 1
-                and domain_event["actorIpAddress"] is not None
-                and domain_event["actorIpAddress"]["value"] is not None
+                "ipCategories" in domain_event
+                and "value" in domain_event["ipCategories"]
+                and len(domain_event["ipCategories"]["value"]) > 0
+                and "actorIpAddress" in domain_event
+                and "value" in domain_event["actorIpAddress"]
             ):
                 is_private = False
                 for ipCategory in domain_event["ipCategories"]["value"]:

From 99c567bcd5c0cee861daee575ae040b5601b2d88 Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Tue, 22 Aug 2023 02:02:47 -0700
Subject: [PATCH 15/23] Changes to Release Notes as per the findings from the
 pre-check

---
 Packs/Traceable/ReleaseNotes/1_0_3.md | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/Packs/Traceable/ReleaseNotes/1_0_3.md b/Packs/Traceable/ReleaseNotes/1_0_3.md
index a28194f9fa03..10e79b18c25d 100644
--- a/Packs/Traceable/ReleaseNotes/1_0_3.md
+++ b/Packs/Traceable/ReleaseNotes/1_0_3.md
@@ -1,12 +1,11 @@
 
 #### Integrations
-
 ##### Traceable
-
-- Introduced new fields in the Incident to specify type of IP Address (**ipAddressType**) with values **Internal** or **External**
-- Introduced new fields in the Incident to specify type of API (**apiType**) with values **Internal** or **External**
+- Updated the Docker image to: *demisto/python3:3.10.12.68714*.
+- Added new fields in the Incident to specify type of IP Address (**ipAddressType**) with values **Internal** or **External**.
+- Added new fields in the Incident to specify type of API (**apiType**) with values **Internal** or **External**.
 - Added new Incident field **eventUrl** containing the link to open the Incident Event in the Traceable Platform.
-- Ability to select the optional fields for the Incidents.
+- Added ability to select the optional fields for the Incidents.
   - actorDevice
   - actorEntityId
   - actorId
@@ -25,14 +24,14 @@
   - actorScore
   - threatCategory
   - type
-- Ability to pull optional attributes of the affected APIs of the reported incidents:
+- Added ability to pull optional attributes of the affected APIs of the reported incidents.
   - isExternal
   - isAuthenticated
   - riskScore
   - riskScoreCategory
   - isLearnt
-- Incidents for the selected **HTTP Status Codes** can now be ignored and not created in XSOAR.
+- You can now ignore Incidents for the selected **HTTP Status Codes**.
 - Added additional input configuration for the Integration to provide the base url of the Traceable Platform UI endpoint.
 - Added additional input configuration to configure the HTTP Status Codes for which the Incidents should be ignored.
-- Updated the Docker image to: *demisto/python3:3.10.12.68714*.
+
 

From 242cc8e181de66249de8374b76ad6bed3cf4aa9e Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Thu, 24 Aug 2023 10:18:57 -0700
Subject: [PATCH 16/23] Review comments for the Release Notes.

---
 Packs/Traceable/Integrations/Traceable/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Packs/Traceable/Integrations/Traceable/README.md b/Packs/Traceable/Integrations/Traceable/README.md
index 85fb3b734cb6..65a86158f6a0 100644
--- a/Packs/Traceable/Integrations/Traceable/README.md
+++ b/Packs/Traceable/Integrations/Traceable/README.md
@@ -6,6 +6,7 @@ With this integration, an Incident can be raised in Cortex Xsoar when an Event i
 
 ## Setup
 To use the integration the following mandatory parameters need to be set:
+
 |Parameter Name|Default Value|Description|
 |------|------|------|
 |Traceable Platform API Endpoint URL|https://api.traceable.ai|Base URL of Traceable Platform API Endpoint.|

From 03b6c096e397db75db42f347d69f55f56f2ab793 Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Thu, 24 Aug 2023 10:20:00 -0700
Subject: [PATCH 17/23] Review Comments

---
 Packs/Traceable/ReleaseNotes/1_0_3.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Packs/Traceable/ReleaseNotes/1_0_3.md b/Packs/Traceable/ReleaseNotes/1_0_3.md
index 10e79b18c25d..00a9861d3b83 100644
--- a/Packs/Traceable/ReleaseNotes/1_0_3.md
+++ b/Packs/Traceable/ReleaseNotes/1_0_3.md
@@ -30,7 +30,7 @@
   - riskScore
   - riskScoreCategory
   - isLearnt
-- You can now ignore Incidents for the selected **HTTP Status Codes**.
+- Added an option to ignore incidents failing with specific HTTP Status Codes set on instance's configuration.
 - Added additional input configuration for the Integration to provide the base url of the Traceable Platform UI endpoint.
 - Added additional input configuration to configure the HTTP Status Codes for which the Incidents should be ignored.
 

From 7254c47c9547fe62ad9b5f491a82db8bd13900d1 Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Mon, 28 Aug 2023 01:46:56 -0700
Subject: [PATCH 18/23] Review Comments - changing demisto.log to demisto.info.

---
 Packs/Traceable/Integrations/Traceable/Traceable.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/Packs/Traceable/Integrations/Traceable/Traceable.py b/Packs/Traceable/Integrations/Traceable/Traceable.py
index d0e63b2338c2..20f6113ddd3c 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable.py
@@ -348,23 +348,23 @@ def __parse_status_code_strings(self, status_code_list_string: str):
             upper = -1
             bounds_len = len(bounds)
             if bounds_len > 2:
-                demisto.log(f"Invalid status code range {range}. Ignoring.")
+                demisto.info(f"Invalid status code range {range}. Ignoring.")
                 continue
             if bounds_len > 0:
                 try:
                     lower = int(bounds[0].lstrip().rstrip())
                     upper = lower
                 except ValueError as e:
-                    demisto.log(f"Couldn't parse bounds for status code range {range}. Exception {e}. Ignoring Range.")
+                    demisto.info(f"Couldn't parse bounds for status code range {range}. Exception {e}. Ignoring Range.")
                     continue
             if bounds_len > 1:
                 try:
                     upper = int(bounds[1].lstrip().rstrip())
                 except ValueError as e:
-                    demisto.log(f"Couldn't parse bounds for status code range {range}. Exception {e}. Ignoring Range.")
+                    demisto.info(f"Couldn't parse bounds for status code range {range}. Exception {e}. Ignoring Range.")
                     continue
             if lower < 100 or lower > 599 or upper < 100 or upper > 599 or lower > upper:
-                demisto.log(f"Invalid status code range {range}. Ignoring.")
+                demisto.info(f"Invalid status code range {range}. Ignoring.")
                 continue
             range_tuple_list.append((lower, upper))
         return range_tuple_list
@@ -387,7 +387,7 @@ def __process_domain_event_field_list(self, field_list: list):
                     final_list.append(field)
                     demisto.debug(f"Adding {field} to list of Incident fields to query.")
                 else:
-                    demisto.log(f"Ignoring {field} as it is not allowed.")
+                    demisto.info(f"Ignoring {field} as it is not allowed.")
         return final_list
 
     def get_domain_event_query_fields(self):

From 2f3da262fb03ee7fb8041a6d7145f1334524f736 Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Mon, 28 Aug 2023 02:01:08 -0700
Subject: [PATCH 19/23] Pre-commit - changing the version of the docker image.

---
 Packs/Traceable/Integrations/Traceable/Traceable.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Packs/Traceable/Integrations/Traceable/Traceable.yml b/Packs/Traceable/Integrations/Traceable/Traceable.yml
index fa97839abfd0..e6577f8f11c2 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable.yml
+++ b/Packs/Traceable/Integrations/Traceable/Traceable.yml
@@ -26,9 +26,9 @@ configuration:
   required: false
 - display: Fetch incidents
   name: isFetch
-  defaultvalue: 'true'
   type: 8
   required: false
+  defaultvalue: 'true'
 - display: First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
   name: first_fetch
   defaultvalue: 1 days
@@ -101,10 +101,10 @@ configuration:
   - BOT
   - Unknown
 - display: Traceable Platform Endpoint URL
-  name: app_url
   defaultvalue: https://app.traceable.ai
-  type: 0
+  name: app_url
   required: false
+  type: 0
 - display: Incident type
   defaultvalue: Exploit
   name: incidentType
@@ -160,7 +160,7 @@ script:
   script: "-"
   type: python
   subtype: python3
-  dockerimage: demisto/python3:3.10.12.68714
+  dockerimage: demisto/python3:3.10.13.72123
 fromversion: 5.5.0
 tests:
 - No tests (auto formatted)

From ffd69783db5d3d960ce3ceab91cccaefc4587994 Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Mon, 28 Aug 2023 02:14:22 -0700
Subject: [PATCH 20/23] Pre-commit - changing docker version in the release
 notes.

---
 Packs/Traceable/ReleaseNotes/1_0_3.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Packs/Traceable/ReleaseNotes/1_0_3.md b/Packs/Traceable/ReleaseNotes/1_0_3.md
index 00a9861d3b83..860eef505d3d 100644
--- a/Packs/Traceable/ReleaseNotes/1_0_3.md
+++ b/Packs/Traceable/ReleaseNotes/1_0_3.md
@@ -1,7 +1,8 @@
 
 #### Integrations
 ##### Traceable
-- Updated the Docker image to: *demisto/python3:3.10.12.68714*.
+- Updated the Docker image to: *demisto/python3:3.10.13.72123*.
+
 - Added new fields in the Incident to specify type of IP Address (**ipAddressType**) with values **Internal** or **External**.
 - Added new fields in the Incident to specify type of API (**apiType**) with values **Internal** or **External**.
 - Added new Incident field **eventUrl** containing the link to open the Incident Event in the Traceable Platform.

From ac936276e9ad14d79b0aad39ee880ca40e01b248 Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Tue, 29 Aug 2023 07:54:23 -0700
Subject: [PATCH 21/23] Removing redundant point from the release notes.

---
 Packs/Traceable/ReleaseNotes/1_0_3.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Packs/Traceable/ReleaseNotes/1_0_3.md b/Packs/Traceable/ReleaseNotes/1_0_3.md
index 860eef505d3d..d3bc86a20d07 100644
--- a/Packs/Traceable/ReleaseNotes/1_0_3.md
+++ b/Packs/Traceable/ReleaseNotes/1_0_3.md
@@ -33,6 +33,5 @@
   - isLearnt
 - Added an option to ignore incidents failing with specific HTTP Status Codes set on instance's configuration.
 - Added additional input configuration for the Integration to provide the base url of the Traceable Platform UI endpoint.
-- Added additional input configuration to configure the HTTP Status Codes for which the Incidents should be ignored.
 
 

From 7884e9fa025f8abd97f3f4fcf6935378a137511c Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Tue, 29 Aug 2023 13:48:19 -0700
Subject: [PATCH 22/23] - Fixed a index out of bound error - Corrected log
 statements - Added a unit test for eventUrl

---
 .../Integrations/Traceable/Traceable.py       | 25 ++++++++-----
 .../Integrations/Traceable/Traceable_test.py  | 35 +++++++++++++++++++
 2 files changed, 52 insertions(+), 8 deletions(-)

diff --git a/Packs/Traceable/Integrations/Traceable/Traceable.py b/Packs/Traceable/Integrations/Traceable/Traceable.py
index 20f6113ddd3c..8e2b26e69b2f 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable.py
@@ -287,8 +287,11 @@ def set_security_score_category_list(self, securityScoreCategoryList):
         self.securityScoreCategoryList = securityScoreCategoryList
 
     def set_app_url(self, app_url):
-        if app_url is not None and app_url != "":
+        if app_url:
+            demisto.info(f"Setting Traceable Platform UI Base Url to: {app_url}")
             self.app_url = app_url
+        else:
+            demisto.info("No Traceable Platform UI Base Url provided.")
 
     def set_threat_category_list(self, threatCategoryList):
         self.threatCategoryList = threatCategoryList
@@ -473,7 +476,7 @@ def get_span_for_trace_id(self, starttime, endtime, traceid=None, spanid=None):
             limit=self.limit,
             filter_by_clause=filter_by_clause,
         )
-        demisto.debug("Query is: " + query)
+        demisto.debug(f"Span query: {query}")
         return self.graphql_query(query)
 
     def get_threat_events_query(
@@ -813,20 +816,23 @@ def get_threat_events(
                     + "?time=90d&env="
                     + parse.quote(domain_event["environment"]["value"])
                 )
-            else:
-                domain_event["eventUrl"] = None
 
             if Helper.is_error(trace_results, "data", "spans", "results"):
                 msg = f"Error Object: {json.dumps(result)}. Couldn't get the Span."
                 demisto.info(msg)
             else:
-                demisto.debug(f"Found Span with id: {span_id}. Adding to Event with id {domain_event['id']['value']}.")
-                domain_event["spans"] = trace_results["data"]["spans"]["results"][0]
+                demisto.info(f"Found Span with id: {span_id}. Adding to Event with id {domain_event['id']['value']}.")
+                if len(trace_results["data"]["spans"]["results"]) > 0:
+                    domain_event["spans"] = trace_results["data"]["spans"]["results"][0]
+                else:
+                    demisto.info("Didn't find any spans. Span array length:"
+                                 + f" {len(trace_results['data']['spans']['results'])}."
+                                 + f" Span Object: {json.dumps(trace_results['data']['spans']['results'])}")
 
             events.append(domain_event)
             if first:
                 first = False
-                demisto.info(f"Domain Event: {json.dumps(domain_event, indent=3)}")
+                demisto.debug(f"Domain Event: {json.dumps(domain_event, indent=3)}")
             demisto.debug(
                 f"Complete Domain Event is: {json.dumps(domain_event, indent=2)}"
             )
@@ -887,7 +893,6 @@ def fetch_incidents(client: Client, last_run, first_fetch_time):
         incident = {
             "name": item["name"],
             "displayname": item["displayname"],
-            "eventUrl": item["eventUrl"],
             "country": item["country"],
             "sourceip": item["sourceip"],
             "riskscore": item["riskscore"],
@@ -897,6 +902,10 @@ def fetch_incidents(client: Client, last_run, first_fetch_time):
             ),
             "rawJSON": json.dumps(item),
         }
+        if ("eventUrl" in item
+                and item["eventUrl"] is not None
+                and item["eventUrl"] != ""):
+            incident["eventUrl"] = item["eventUrl"]
 
         incidents.append(incident)
 
diff --git a/Packs/Traceable/Integrations/Traceable/Traceable_test.py b/Packs/Traceable/Integrations/Traceable/Traceable_test.py
index 2417fafd52dd..3a12861d94d9 100644
--- a/Packs/Traceable/Integrations/Traceable/Traceable_test.py
+++ b/Packs/Traceable/Integrations/Traceable/Traceable_test.py
@@ -1389,3 +1389,38 @@ def test_fixing_timestamp():
 
     now_time_str3 = Helper.end_datetime_to_string(now_time)
     assert now_time_str3 == (now_time_str1[:-1] + ".999Z")
+
+
+def test_set_app_url(mocker):
+    from Traceable import Client, fetch_incidents
+    headers = {}
+    headers["Content-Type"] = "application/json"
+    headers["Accept"] = "application/json"
+
+    client = Client(base_url="https://mock.url", verify=False, headers=headers)
+    client.set_app_url(None)
+    assert client.app_url == ""
+
+    client.set_app_url("")
+    assert client.app_url == ""
+
+    client.set_app_url("https://mock.url")
+    assert client.app_url == "https://mock.url"
+
+    client.set_security_score_category_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_ip_reputation_level_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_ip_abuse_velocity_list(["CRITICAL", "HIGH", "MEDIUM", "LOW"])
+    client.set_limit(100)
+
+    mocked_post = mocker.patch("requests.post")
+    mocked_post.side_effect = private_api_type_response_handler
+    next_run, incidents = fetch_incidents(client, {"last_fetch": None}, "3 days")
+    assert len(incidents) == 1
+    assert "eventUrl" in incidents[0]
+    assert incidents[0]["eventUrl"] == ('https://mock.url/security-event/9dd9261a-23db-472e-9d2a-a4c3227d6502?time'
+                                        + '=90d&env=Fintech_app')
+
+    client = Client(base_url="https://mock.url", verify=False, headers=headers)
+    client.set_app_url(None)
+    next_run, incidents = fetch_incidents(client, {"last_fetch": None}, "3 days")
+    assert "eventUrl" not in incidents[0]

From 3cbddf5de8b46de8ac6b1564a0f9bc1985460ca8 Mon Sep 17 00:00:00 2001
From: mtraceable <mayuresh@traceable.ai>
Date: Wed, 30 Aug 2023 01:17:27 -0700
Subject: [PATCH 23/23] Review comments for the README and ReleaseNotes.

---
 .../Integrations/Traceable/README.md          | 44 +++++++++----------
 Packs/Traceable/ReleaseNotes/1_0_3.md         | 16 ++++---
 2 files changed, 31 insertions(+), 29 deletions(-)

diff --git a/Packs/Traceable/Integrations/Traceable/README.md b/Packs/Traceable/Integrations/Traceable/README.md
index 65a86158f6a0..a3d67bb9a8eb 100644
--- a/Packs/Traceable/Integrations/Traceable/README.md
+++ b/Packs/Traceable/Integrations/Traceable/README.md
@@ -1,42 +1,42 @@
 # Traceable AI API Security Platform Integration
 ## Overview
-Traceable Platform monitors Application APIs and detects Threat Activities. These Threat Events consist of the details about the Threat Activity, the Actor performing the threat activity and the Request/Response Payloads.
+Traceable platform monitors application APIs and detects _Threat Events_. These _Threat Events_ consist of the details about the _Threat Activity_, the _Actor_ performing the threat activity and the request/response payloads.
 
-With this integration, an Incident can be raised in Cortex Xsoar when an Event is detected by Traceable Platform. This enables the Security Teams to orchestrate actions through Cortex Xsoar with meaningful information about the detected Threat Activities.
+With this integration, an _Incident_ can be raised in Cortex Xsoar when an event is detected by Traceable platform. This enables the security teams to orchestrate actions through Cortex Xsoar with meaningful information about the detected _Threat Activities_.
 
 ## Setup
 To use the integration the following mandatory parameters need to be set:
 
 |Parameter Name|Default Value|Description|
 |------|------|------|
-|Traceable Platform API Endpoint URL|https://api.traceable.ai|Base URL of Traceable Platform API Endpoint.|
-|API Token|-|API Token. Used for Authenticating against the Traceable Platform|
-|Trust any certificate (not secure)|false|Trust any SSL certificate while connecting to Platform API Endpoint|
-|Use system proxy settings|false|Use the system proxy setup using the environment variables `http_proxy`/`https_proxy`|
+|Traceable Platform API Endpoint URL|https://api.traceable.ai| Base URL of the Traceable platform API endpoint. |
+|API Token|-| API token used for authenticating against the Traceable platform. |
+|Trust any certificate (not secure)|false| Trust any SSL certificate while connecting to the Traceable platform API endpoint. |
+|Use system proxy settings|false| Use the system proxy using the environment variables `http_proxy`/`https_proxy`. |
 
-The API Token can be generated as described in the [Traceable Documentation](https://docs.traceable.ai/docs/public-apis#step-1-%E2%80%93-copy-the-platform-api-token)
+The API token can be generated as described in the [Traceable Documentation](https://docs.traceable.ai/docs/public-apis#step-1-%E2%80%93-copy-the-platform-api-token)
 
 ## Customize Event/Activity Collection
-The following parameters can be used to customize what Events should be exported from the Traceable Platform and brought over into Xsoar as Security Incidents.
+The following parameters can be used to select the events that should be imported from the Traceable platform into Cortex Xsoar as security incidents.
 
 |Parameter name|Type|Required (Yes/No)|Default Value|Description|
 |------|------|------|------|------|
-|First fetch timestamp|Short Text|No|1 days|Duration in the past to query the Events when querying for the first time.|
-|max_fetch|Short Text|No|100|Number of records to return from Platform per query|
-|span_fetch_threadpool|Short Text|No|10|Number of threads to use for querying `spans` in parallel|
-|Comma Separated Environment List To Process|Long Text|No|-|Comma separated list of environments to query.|
-|Security Score Category|Multi Select|No|CRITICAL, HIGH, MEDIUM|Security Score Category to query|
-|Threat Category|Multi Select|No|Malicious Activities, API Abuse, Malicious Sources|Threat Categories to query|
-|IP Reputation Level|Multi Select|No|CRITICAL, HIGH, MEDIUM|IP Reputations to query|
-|IP Abuse Velocity|Multi Select|No|CRITICAL, HIGH, MEDIUM|IP Abuse Velocity to query|
-|IP Location Type|Multi Select|No|-|IP Location Type to query|
-|Traceable Platform Endpoint URL|Long Text|No|https://app.traceable.ai|Base URL of the Traceable Platform UI Endpoint|
-|Ignore Status Codes|Long Text|No|400-499|Ignore Incidents for HTTP Requests failing with these Status Codes|
-|Incident optional field list|Multi Select|No|actorDevice,actorEntityId,actorId,actorScoreCategory,actorSession,anomalousAttribute,apiName,apiUri,category,ipAbuseVelocity,ipReputationLevel,securityEventType,securityScore,serviceId,serviceName,actorScore,threatCategory,type|Optional fields to pull from Traceable Event|
-|Additional API Attributes|Multi Select|No|isExternal,isAuthenticated,riskScore,riskScoreCategory,isLearnt|Additional API Attributes to query for the affected API in the Incident|
+|First fetch timestamp|Short text|No|1 days| Duration in the past to query the events, when querying for the first time. |
+|max_fetch|Short text|No|100| Number of records to return from Traceable platform per query. |
+|span_fetch_threadpool|Short text|No|10| Number of threads to use for querying `spans` in parallel. |
+|Comma Separated Environment List To Process|Long text|No|-| Comma separated list of environments to query. |
+|Security Score Category|Multi select|No|CRITICAL, HIGH, MEDIUM| `Security Score Category` of the events to be queried. |
+|Threat Category|Multi select|No|Malicious Activities, API Abuse, Malicious Sources| `Threat Category` of the events to be queried. |
+|IP Reputation Level|Multi select|No|CRITICAL, HIGH, MEDIUM| `IP Reputation Level` of the events to be queried. |
+|IP Abuse Velocity|Multi select|No|CRITICAL, HIGH, MEDIUM| `IP Abuse Velocity` of the events to queried. |
+|IP Location Type|Multi select|No|-| `IP Location` type of the events to be queried. |
+|Traceable Platform Endpoint URL|Long text|No|https://app.traceable.ai| Base URL of the Traceable platform UI endpoint. |
+|Ignore Status Codes|Long text|No|400-499| Ignore incidents for attacks failing with these status codes. |
+|Incident optional field list|Multi select|No|actorDevice,actorEntityId,actorId,actorScoreCategory,actorSession,anomalousAttribute,apiName,apiUri,category,ipAbuseVelocity,ipReputationLevel,securityEventType,securityScore,serviceId,serviceName,actorScore,threatCategory,type| Optional fields to pull from the Traceable event. |
+|Additional API Attributes|Multi select|No|isExternal,isAuthenticated,riskScore,riskScoreCategory,isLearnt| Additional API attributes to query for the affected API in the incident. |
 
 ## Incident Types
-The integration generates _Exploit_ type of Inidents.
+The integration generates _Exploit_ type of incidents.
 
 ## Official Traceable Documentation
 https://docs.traceable.ai/
diff --git a/Packs/Traceable/ReleaseNotes/1_0_3.md b/Packs/Traceable/ReleaseNotes/1_0_3.md
index d3bc86a20d07..2db52df8a503 100644
--- a/Packs/Traceable/ReleaseNotes/1_0_3.md
+++ b/Packs/Traceable/ReleaseNotes/1_0_3.md
@@ -3,10 +3,11 @@
 ##### Traceable
 - Updated the Docker image to: *demisto/python3:3.10.13.72123*.
 
-- Added new fields in the Incident to specify type of IP Address (**ipAddressType**) with values **Internal** or **External**.
-- Added new fields in the Incident to specify type of API (**apiType**) with values **Internal** or **External**.
-- Added new Incident field **eventUrl** containing the link to open the Incident Event in the Traceable Platform.
-- Added ability to select the optional fields for the Incidents.
+- Added new fields in the incident to specify the type of IP address (**ipAddressType**) with values **Internal** or **External**.
+- Added new fields in the incident to specify the type of API (**apiType**) with values **Internal** or **External**.
+- Added a new incident field **eventUrl** containing the link to open the incident event in the Traceable platform.
+
+- Added the ability to select the optional fields for the incidents.
   - actorDevice
   - actorEntityId
   - actorId
@@ -25,13 +26,14 @@
   - actorScore
   - threatCategory
   - type
-- Added ability to pull optional attributes of the affected APIs of the reported incidents.
+- Added the ability to pull optional attributes of the affected APIs of the reported incidents.
   - isExternal
   - isAuthenticated
   - riskScore
   - riskScoreCategory
   - isLearnt
-- Added an option to ignore incidents failing with specific HTTP Status Codes set on instance's configuration.
-- Added additional input configuration for the Integration to provide the base url of the Traceable Platform UI endpoint.
+- Added an option to ignore incidents for attacks failing with specific HTTP status codes
+- Added an additional input configuration for the integration to provide the base URL of the Traceable platform UI endpoint.
+